Yesterday, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about.
The super tl;dr is that on April 15, a letter was sent from MITRE to the CVE Board saying that the next day the “contracting pathway for MITRE to .. operate .. CVE .. will expire”. The statement wasn’t made publicly, that letter was leaked. The next day, several organizations stepped up to fill the perceived gap including The CVE Foundation. The next morning, CISA announced they would fund CVE “saving the day”, as described by many. There’s obviously more to the story but those are the germane points.
Understandably there was, and is, still a lot of uncertainty and outright doubt about the future of the CVE program. There is already a fair amount of commentary on LinkedIn, as well as blogs from Jen Easterly, Josh Bressers, the OpenSSF, and the newly created CVE Foundation. I haven’t had time to read them all but based on a few second skim of each, they are worth mentioning here. A bulk of my notes on this topic were taken yesterday with plans to publish this last night.
Matt Hartman’s Statement – The Rebuttal
Let’s start by breaking down Mr. Hartman’s open letter. Predictably, I am not pulling any punches.
As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.
First, many of us think there was a funding issue and this letter does not change our minds. The letter from MITRE to the CVE Board, which was not made public by MITRE themselves, created doubt in the system. While it did not use the words “funding issue”, rather “contracting pathway”, who cares? That is semantics. In the final hours, MITRE felt the need to warn the board (again, not the public?!) that the program may stop operating within 24 hours. They qualify that IF a “break in service were to occur“, that a list of things would happen eroding the CVE ecosystem further. That created panic.
When MITRE feels the need to warn the board like that, the pedantic wording doesn’t matter. If this program was so important as said, why did it even get to this point? Who dropped the ball? If there was no risk then that announcement would have looked very different or not been made at all. They put the fear of $deity into hundreds of thousands of people as a result. Now saying there was ‘no risk’ is more semantics because we have prior proof we cannot trust Mr. Hartman’s word. It sincerely comes across that CISA was using the funding as some power play or bargaining chip, holding the funding back until the last second where they could step in to save the day. We are to believe that CISA, part of our government which moves slower than the speed of business, could fix this in less than 24 hours, but couldn’t figure it out for the months leading up to it?
Second, not sure if Mr. Hartman is playing the semantics game again, or if he doesn’t understand how “CVE” works as a whole. In saying that there “has been no interruption to the CVE program” that is absurd. The interruption began late 2023 or early 2024, and beginning around February 2024 many people noticed that the NVD backlog was growing. What many are already forgetting is that at VulnCon 2024, we learned that NVD had been funded by CISA and that funding had halted abruptly due to a “contract administration issue” (as more than one of us remembers). Tanya Brewer did not go into a lot of detail that that was a surprise to many of us at the time. I’d love to provide a better quote but conveniently FIRST never posted that talk and NVD never issued a comprehensive statement.
If you doubt any of this, read Josh Bressers’ blog and specifically take note of what he points out regarding the contract. If this entire situation was “saved” by exercising a contract option for money that had already been approved a year prior. This means the contract was pre-approved to run one more year if needed, without requesting more money. MITRE certainly wasn’t able to trigger that extension or they would have. So this really does seem to be a CISA-generated problem from start to finish.
CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves.
A bit pedantic, but CISA has not been around for decades. If Mr. Hartman means the broader Department of Homeland Security then sure, that statement holds. Next, CVE itself has not gone through many evolutions unless he means in funding or support from the agency. The CVE program had been largely static until they moved to their “federated” model, which also wasn’t new, just an expansion of it. That was done in response due to Congressional scrutiny, not because DHS, CISA, or MITRE explicitly wanted it to evolve. As I have previously pointed out, the raw number of CNAs does not mean anything as many are inactive and MITRE is actively minting CNAs that produce no new CVE IDs.
We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.
I will vehemently disagree with this statement. During the ten years I was on the board, I often felt like the only one pushing for improvements and evolution. Almost every single time I was met with threats to remove me from the board, complaints about my ‘tone’ (many valid!), and no evolution to be seen. When I tried to use a newly created CNA mail list to coordinate a multi-vendor disclosure that had a lot of confusion at the time, I was told not to use the list for that purpose and that some vendors “felt called out”. Good. I gave them an opportunity to discuss and contribute to help figure out that multi-vendor issue in a non-public setting and tried to spark the partnership needed to help the community. That’s not on MITRE’s agenda apparently.
The CVE ecosystem is very clearly not efficient and the value has become questionable. The process is split between three entities (MITRE, DHS, NIST), we’ve seen the NVD come to a near standstill with over 33,000 vulnerabilities unanalyzed. All the promises we got from Tanya Brewer in 2024 did not manifest. Her talk at VulnCon 2025 earlier this year gave little information and no assurances that anyone there could fix the problem. She either requested a 30 minute speaking slot or FIRST only gave her that much, when everyone knew very well there would be a lot of questions. Ultimately only two or three questions were asked.
With all of that in mind, CISA shouldn’t be “open” to reevaluating this program. They should be demanding reevaluation and making changes. As I have said many times, the amount of funding that MITRE and NVD receive to fail so badly is pure waste, at the taxpayer’s expense. I know this to be a fact because VulnDB can stay on top of all of it, providing more metadata, more CVSS, and do it in a pretty timely fashion while also covering vulnerabilities without a CVE ID. So Mr. Hartman, you truly want to be open? Let’s talk. I will give you the roadmap to fix this because I helped create it already. If we can do it for a tenth of the cost the government is spending, you should be able to. Otherwise, MITRE and CISA are simply not qualified to run the program.
The Original CISA Statement
Now, let’s jump back a few days to the original CISA statement on April 16, all three sentences of it, and observe.
The CVE Program is invaluable to the cyber community and a priority of CISA. On April 15th, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.
This statement alone created more uncertainty and doubt, largely due to the terse nature of it. Again, if this contract and support was never in jeopardy, why did it require a last-hour stay of execution in CISA “executing the option period“? The “option period” means the next 11 months, and it doesn’t jibe with any of their statements that attempt to speak to long-term support and commitment. As many are now rightfully saying, companies need to plan for the worst in 11 months and assume there will be another shake-up. I have already made my prediction that CISA may use this as a power grab because the CVE landscape, and more importantly CISA’s role in it, has changed considerably in recent years.
If you question my accusation of semantics, let’s consider what Jonathan Greig reported on April 16.
Federal contract documents show that CISA’s $57.8 million contract with MITRE expired on Wednesday but had an option to continue until March 16, 2026. CISA confirmed that the extension was for 11 months but did not respond to questions about what will happen after that date.
The bold emphasis is my own but something that needs to be loud and clear here. If CISA will not commit to answering that simple, direct question, then they simply are not committed to CVE right now. If they were, the answer would be, at minimum, fluffy government language about “making every effort” or “doing everything in our power” to fund CVE long-term. Wording that does not hold them to an absolute, but at least gives us more confidence than what we have been given.
The CVE Foundation Comments
Next, what did the CVE Foundation have to say about this?
We stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program, which has a 25-year legacy of bringing some order to the chaos of cyber-security vulnerabilities. The model of successfully transferring initiatives from the U.S. government to a publicly managed service or program has countless examples: DARPA turning the ARPANET into the Internet, IANA managing protocol assignments, and ICANN managing Internet names and addresses, which all started with the government being the single source of funding.
So they are ‘aligned’, but I doubt CISA is aligned with their goal. The examples they provide in transferring initiatives from the government to publicly managed services aren’t the best to cite either. First, I don’t think DARPA “turned” the ARPANET into the Internet intentionally; I think the latter evolved out of the former and happened regardless of DARPA’s direction. Second, if you want to invoke the Internet Assigned Numbers Authority (IANA), then you must also acknowledge a long history of problems with IANA and their management. Third, IANA was directly part of ICANN until 2016 and is still affiliated with them in a different capacity, and prior mention of problems certainly rolls into this as well.
The CVE Foundation Drama
Overall, to me the CVE Foundation’s letter is not compelling just like CISA’s isn’t. I’ll also use this as a springboard to highlight something Jen Easterly, former CISA Director, said in regards to the CVE foundation.
Because…while sitting on the governing board of one of the most critical cybersecurity programs in the world, some members were ostensibly working in secret to build a separate organization to assume control of that very program. And they didn’t resign while doing so given the obvious conflict of interest. They didn’t announce it publicly or disclose the effort to their fellow board members.
There is some amusing and disgusting history here that very few know about, including most of the current CVE Board. I have not blogged about some of that drama and won’t spill the whole story here but I will give enough to make you question MITRE’s role in this. I will encourage anyone on the CVE Board (past or present) or MITRE to post their own explanation of this hypocrisy if they would like.
Why did Carsten Eiram and I both get kicked off the CVE Board at the same time, for the same reason, and the seven people who have signed their name to the CVE Foundation, have not? Those seven have done exactly what MITRE accused Carsten and myself of doing, which was brought to the board in an extremely misleading and duplicitous manner in my opinion, yet no action has been taken against these individuals.
This puts MITRE in a Knight’s fork of sorts as they will have to admit either that the action taken against Carsten or myself was unfair, or that there is pure hypocrisy at play here. If Carsten and my removal was justified, then those seven need to go for the exact same reason as presented for our removal.
Sincerely, and honestly, I don’t care if they stay or go. I only care about pointing out MITRE’s blatant hypocrisy, deceiving the board at the time, and general unethical way of running the CVE program. Again, in my opinion, as someone who was there for those ten years, and as someone knows a lot of backstory about the actual reason why our names were put up for removal. If MITRE, or a board member, would like to open up that CVE Board email asking for the vote on our removal that includes the reason (not the votes but I will tell you all but one person voted for removal), that was not made public and of course without Carsten or my involvement, they could answer some of these questions and try to prove me wrong… if they want. I don’t think they will, because I think they have something to hide.
The Vote of No Confidence
So where are we today, let’s try to quickly recap and based on that, I will ask you a hypothetical question :
- CISA yanks funding from NVD, helps create ‘the backlog’
- At least 7 CVE board members work in secret to subvert the CVE system
- A year later, that NVD backlog is a standstill, over 30,000 vulns unanalyzed
- MITRE, in secret, warns 0.0001% of the community of funding crisis
- That letters leaks to the public, panic runs deep
- CISA, potentially the cause of the problem, steps in to save the day
- A year later, after funding crisis, those 7 CVE board members go public with initiative
- MITRE apparently accepts all of this
If your Internet service provider largely stopped working for a year, some of the ISP admins secretly planned to do something that would destabilize the situation, the ISP financial backers created a funding crisis, and meanwhile the ISP crawled to a near standstill… would you stick with them?
You likely just said “no” without hesitation, but here you are, sticking with CVE.
