Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE doesn’t track or map to). I was curious about these because they don’t really seem to be helpful in my mind, to just about anyone. If any organization is using these for vulnerability intelligence, they are likely already compromised. If anyone, including a CISO wants a vulnerability summary, it’s difficult to imagine this would be it.
Since the list is just “any CVEs published the prior week” essentially, it is a grab-bag of critical vulnerabilities mixed with absolute garbage disclosures that would never impact them. Since the bulletins are quite sizable it’s hard to believe anyone actually just reads or even skims them. Take November 18, 2024 as an example, which tracks to 1,268 vulnerabilities in VulnDB. Note that it doesn’t mean there were that many CVE IDs, since databases abstract differently, but you hopefully get the idea just how many issues this represents.
I was curious how much money was actually used to generate these bulletins, as they are almost certainly automatically generated (at least, I hope so!). Since it is almost certainly a small piece of a bigger team, asking for the team budget isn’t an answer. So I phrased my FOIA request for this information accordingly:
The amount of money allocated by Department of Homeland Security (DHS) / Cybersecurity & Infrastructure Security Agency (CISA) to fund the generation and publication of the National Cyber Awareness System Bulletins (reference: https://us-cert.cisa.gov/ncas/bulletins) for the 2023 calendar year. This includes personnel, materials, computers, hours required, and applicable expenditures related to the publication of the “SB” bulletins, and only those bulletins. If it is easier to determine the cost to generate a single weekly bulletin (e.g. https://us-cert.cisa.gov/ncas/bulletins/sb21-046) then I can extrapolate a rough cost for the year and that is acceptable.
You can read the entire response in the Muckrock linked FOIA request above, but the relevant reply is here:
A search of the CISA Cybersecurity Division (CSD) for records produced the following information: The “National Cyber Awareness System Bulletins” referenced in the request are now known as the “CISA Vulnerability Bulletin.” In 2023, the weekly cost for producing the bulletin was roughly $412.00; the annual cost was roughly $21,450.00.
That is something of a relief! I honestly feared the response would be in the thousands, per week, with a significant yearly budget. Granted, I think $412 a week is still pretty high given what it is and how it can be automated 100%. Anyway, the real question I have for my readers is, does anyone actually use these bulletins for any reason? I’d love to hear if you or someone you know does.
Leave a Reply