[This was originally published on RiskBasedSecurity.com.]
On February 22, Will Dormann tweeted that the main CERT Coordination Center (CERT/CC) website (www.cert.org) had been shuttered. Upon checking ourselves we found the website now redirecting to the Software Engineering Institute at Carnegie Mellon, the parent group of CERT. As a 14-year veteran at CERT/CC, Dormann understandably had some feelings about the situation.
When we further asked if there was a press release from CERT/CC, Carnegie Mellon, or DHS on this change, Dormann replied that there was none. Days later, there are still no apparent press releases or even news articles covering this event. After publishing this blog, someone from the SEI contacted us saying that there had been banners on both SEI and CERT linking to an article saying there were changes coming. While that is true, day-to-day use of the CERT KB site gave no indication of the changes that we noticed, nor did any mainstream news article, social media chatter, or general word-of-mouth.
We were immediately curious if the CERT Vulnerability Notes Database would continue to operate, which Dormann confirmed that it would be. He went on to say that the site was apparently “deemed to be unnecessary” and expressed that he suspects the next phases would include that the “World forgets that CERT is a thing” and then “profit”. For those not familiar with CERT/CC, or who perhaps forgot the legacy they represent, the organization is a non-profit founded in 1988 under DARPA’s direction to help respond to the Morris worm incident. It was the first of such organizations designed to offer help in responding to computer security incidents. Over the years they have provided a wide variety of help to countless organizations that found themselves victim to computer crime. Almost three years later, CERT/CC created their own domain that acted as a clearinghouse for early incident response information.
Their initial website was simple and to the point. It remained that way for years as seen on a 1997 copy captured by the Internet Archive. Over the years it evolved into a bigger variety of offerings including news, a vulnerability database of sorts, security podcasts, training and more. CERT/CC is part of the CMU Software Engineering Institute, which receives money from the DHS as well as Hanscom Air Force Base to the tune of 1.7 billion US Dollars a year per a 2015 Freedom of Information Act (FOIA) request. It will be curious to see what becomes of the CERT/CC organization as a whole. After publishing this blog, SEI reached out to clarify that “the SEI receives $1.7 billion per year from DHS and Hanscom AFB. The contract you cite in the article is with the DoD and administered by Hanscom. The contract is for five years with a possible extension for five additional years. The $1.7 billion figure is the total value of contract plus extension (i.e. 10 years), not an annual amount.”
While the standalone CERT/CC website has vanished with very little warning to many of us, their Vulnerability Notes Database remains up for now. While it by no means is intended to be a comprehensive database, it remains a steady source of major vulnerability disclosures that some organizations coordinate through CERT/CC. For now, removing the CERT/CC website appears to be as simple as a consolidating web presence effort with most of the content copied over, yet many are still pondering the question of what will come next for the organization?
As we saw with the recent government shutdown and the National Vulnerability Database (NVD) not processing vulnerabilities, there is a potential that organizations relying on such government-funded databases, will no longer have a reliable source of vulnerability intelligence. We believe that the biggest concern is ensuring that the Vulnerability Reporting Form remains available and that CERT/CC has the resources necessary to assist with coordinating the disclosure of vulnerabilities having widespread impact across multiple vendors. If you are feeling a bit of nostalgia and want to visit the most recent version of the site before being redirected, you can still see some of the content using the Wayback Machine.
March 6 Update: Richard Lynch, a PR manager with the Software Engineering Institute at Carnegie Mellon, contacted us shortly after this blog ran. Yesterday we updated the blog to reflect some of his feedback and today we wanted to share his full feedback:
Hello. I am the PR manager for the Software Engineering Institute. I was just made aware of your non-bylined article at https://www.riskbasedsecurity.com/2018/02/rip-cert-org-you-will-be-missed/ titled “RIP CERT.org.” Your article contains some serious errors, and I would appreciate it if you would make corrections. First regarding your statement that the SEI receives $1.7 billion per year from DHS and Hanscom AFB. The contract you cite in the article is with the DoD and administered by Hanscom. The contract is for five years with a possible extension for five additional years. The $1.7 billion figure is the total value of contract plus extension (i.e. 10 years), not an annual amount. Second, you state that the site vanished with no warning and that there were no press releases or even news articles. However, on January 25, about a month before the new website launch, we announced the upcoming change through a news article on both the SEI and CERT websites. The article was accompanied by banner announcements on both sites for a month prior to the change over.