FOR IMMEDIATE RELEASE
April 16, 2025
CVE Foundation Launched to Secure the Future of the CVE Program
[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
Yeah, but that’s sort of the point I was making… it was a data repository used by “thousands and thousands” of security professionals and organizations. So people who were generating revenue off of the service. I mean, they’re professionals, not hobbyists / home users.
I’m not an American, but in terms of everything running like a company/for profit, I’d say that its best if things are sustainable / able to self-maintain. If the US cutting funding means this program can’t survive, that’s an issue. If it has value to a larger community, the larger community should be able to fund its operation. There’s clearly a cost to maintaining the program, and there are clearly people who haven’t contributed to paying that cost.
In terms of going back to whatever, the foundation involved is likely to sort out alternative funding, though potentially with decreased functionality (it sounds like they had agreements to pay for secondary vulnerability report reviews, which will likely need to get scaled back). Maybe they’ll need to add in a fee for frequent feed pulls, or something similar. I wouldn’t say it’s completely toast or anythin just yet.
Idk about Tenable specifically, but a lot of the major security vendors have their own pool of security researchers who very frequently contribute to CVE. Mostly from finding vulns in their own product, but a lot of those vulns are due to upstream libraries.
If it has value to a larger community, the larger community should be able to fund its operation.
Up until very recently it seemed perfectly reasonable to fund this sort of thing with taxes, because it benefits everyone even if they’re not directly using the database. An open source developer probably isn’t going to pay to look up vulnerabilities in the open source dependencies they use, so the database being free makes software more secure on average.
What is wrong with having free public services? If someone is abusing it, block them, or charge fees like a library.
Sure, though that’s part of the problem that the States is whining about. US taxes paid for the service, which lots of other nations/foreign companies used.
Things like Libraries require taxes to operate. You’d likely be annoyed if you were struggling, and then found out your gov was using your taxes to pay for a bunch of foreign countries to have libraries. And then you find out that those foreigners are able to use those libraries to make good money, which they don’t use to support their libraries, cause the States is already covering it. So you’re paying taxes, and struggling to do so, so that EU companies can reap profits and live comfy.
And yes, charge a fee. That’s basically what I’ve said, no? That there’s a value add, and that there are ‘professionals’/companies using it who aren’t paying for that value add. So something like a fee for frequent pulls against the vuln feeds, to replace whatever funding the US gov was giving, would make sense to me. though I suppose this has now been kicked down the road till next year.
The US specifically does spend tax money on foreign aid (or at least they used to). I have no problem with that. If you’re struggling to get by, then you should be paying effectively no taxes. If that’s not the case, then we should be fixing that, not cutting funding to things that make the world better.
As for the fee suggestion, a library does not charge for entry or for every book. There is a “free tier” that everyone can use as long as you return the books on time. You only charge the people making too many requests to make sure the service stays available to everyone.
Yeah, but that’s sort of the point I was making… it was a data repository used by “thousands and thousands” of security professionals and organizations. So people who were generating revenue off of the service. I mean, they’re professionals, not hobbyists / home users.
I’m not an American, but in terms of everything running like a company/for profit, I’d say that its best if things are sustainable / able to self-maintain. If the US cutting funding means this program can’t survive, that’s an issue. If it has value to a larger community, the larger community should be able to fund its operation. There’s clearly a cost to maintaining the program, and there are clearly people who haven’t contributed to paying that cost.
In terms of going back to whatever, the foundation involved is likely to sort out alternative funding, though potentially with decreased functionality (it sounds like they had agreements to pay for secondary vulnerability report reviews, which will likely need to get scaled back). Maybe they’ll need to add in a fee for frequent feed pulls, or something similar. I wouldn’t say it’s completely toast or anythin just yet.
Idk about Tenable specifically, but a lot of the major security vendors have their own pool of security researchers who very frequently contribute to CVE. Mostly from finding vulns in their own product, but a lot of those vulns are due to upstream libraries.
Up until very recently it seemed perfectly reasonable to fund this sort of thing with taxes, because it benefits everyone even if they’re not directly using the database. An open source developer probably isn’t going to pay to look up vulnerabilities in the open source dependencies they use, so the database being free makes software more secure on average.
What is wrong with having free public services? If someone is abusing it, block them, or charge fees like a library.
Sure, though that’s part of the problem that the States is whining about. US taxes paid for the service, which lots of other nations/foreign companies used.
Things like Libraries require taxes to operate. You’d likely be annoyed if you were struggling, and then found out your gov was using your taxes to pay for a bunch of foreign countries to have libraries. And then you find out that those foreigners are able to use those libraries to make good money, which they don’t use to support their libraries, cause the States is already covering it. So you’re paying taxes, and struggling to do so, so that EU companies can reap profits and live comfy.
And yes, charge a fee. That’s basically what I’ve said, no? That there’s a value add, and that there are ‘professionals’/companies using it who aren’t paying for that value add. So something like a fee for frequent pulls against the vuln feeds, to replace whatever funding the US gov was giving, would make sense to me. though I suppose this has now been kicked down the road till next year.
The US specifically does spend tax money on foreign aid (or at least they used to). I have no problem with that. If you’re struggling to get by, then you should be paying effectively no taxes. If that’s not the case, then we should be fixing that, not cutting funding to things that make the world better.
As for the fee suggestion, a library does not charge for entry or for every book. There is a “free tier” that everyone can use as long as you return the books on time. You only charge the people making too many requests to make sure the service stays available to everyone.