[This article was originally published on Dark Reading, titled “Hand CVE Over to the Private Sector“. Note that it underwent editing by the staff there. Below is my original version and this copy is titled the way I had proposed.]
Created in 1999, the Common Vulnerability Enumeration (CVE), now dubbed Common Vulnerabilities and Exposures, was created to fill a void that was not present to begin with. It’s important to note that by the time of CVE’s launch, ISS (later acquired by IBM) maintained a fully public vulnerability database (VDB) as of August, 1997. A company I helped found, Repent Security Inc. also offered a commercial subscription to a VDB by early to mid 1998. These are both important to note due to how MITRE receives funding for projects as a federally funded research and development center (FFRDC). Moving past the funding issues that have recently haunted MITRE and the CVE Project, the question of why they don’t seem to manage the project well haunts others.
The CVE initiative was born out of a white paper titled “Towards a Common Enumeration of Vulnerabilities”, written by David Mann and Steve Christey-Coley. The gist of the paper described the need for a “common enumeration” of vulnerabilities. However, as noted in the introduction there was already a broad coverage public VDB that had existed for over a year prior. Before that were other efforts to catalog vulnerabilities, all of them to varying levels of completeness, but none fully complete of course. MITRE’s desire for a new VDB invokes the classic XKCD comic about standards. From their paper:
Consider the problem of naming vulnerabilities in a consistent fashion. For example, one vulnerability discovered in 1991 allowed unauthorized access to NFS file systems via guessable file handles. In the ISS X-Force Database, this vulnerability is labeled nfs-guess; in CyberCop Scanner 2.4, it is called NFS file handle guessing check; and the same vulnerability is identified (along with other vulnerabilities) in CERT Advisory CA-91.21, which is titled SunOS NFS Jumbo and fsirand Patches. In order to ensure that the same vulnerability is being referenced in each of these sources, we have to rely on our own expertise and manually correlate them by reading descriptive text, which can be vague and/or voluminous.
It’s easy to miss, but this paragraph has a fair dose of irony as they don’t themselves cross-reference it to ISS X-Force 77 specifically, nor point out that ISS links to CERT and Sun which provides that cross-reference they say is so desperately needed. This example serves a second purpose when you consider that eventually CVE-1999-0167 would be published and it only links to ISS and not CERT or Sun, the foundation of their example. When launched in September, 1999, CVE had 321 records. By that point in time there were at least 3,700 vulnerabilities. Over 26 years ago the stage was set for how MITRE would fare in the world of running a VDB.
FFRDCs like MITRE adhere to regulations set forth by the U.S. government that dictate how contracts are awarded. One advantage they have is that they often get contracts that are no-bid and non-compete, which is a break from a majority of government contracts. They do this by pitching a contract to the government that is supposed to meet certain criteria, and if accepted they get it without other businesses being able to compete for it. That is what has allowed MITRE to enjoy the CVE contract for so long, despite objectively sub-par performance.
Code of Federal Regulations Title 48, Federal Acquisition Regulations System, is one of the sets of rules that MITRE is subject to for such contracts, specifically section 35 “RESEARCH AND DEVELOPMENT CONTRACTING”. Soliciting contracts (35.007), the evaluation for award (35.008), and specifically the section on FFRDCs (35.017) have enough language to argue that the CVE contract should never have been awarded. For example:
- 35.007(e)(5) – Pertinent novel ideas in the specific branch of science and technology involved;
- 35.008(a) – Generally, an R&D contract should be awarded to that organization, including any educational institution, that proposes the best ideas or concepts and has the highest competence in the specific field of science or technology involved.
- 35.017(a)(2) – An FFRDC meets some special long-term research or development need which cannot be met as effectively by existing in-house or contractor resources.
- 35.017-3(a) – All work placed with the FFRDC must be within the purpose, mission, general scope of effort, or special competency of the FFRDC.
While I am not a lawyer or government regulation author, I would argue that a layperson’s interpretation of these points strongly suggests that CVE was not a novel idea, the creators were no more experts than anyone else at the time, and that the need for such an effort could have been obtained for free or contracted through ISS at the time.
Another provision of Title 48 is covered under section 35.017-4, “Reviewing FFRDC’s”. This requires that the contract sponsor, in this case Cybersecurity and Infrastructure Security Agency (CISA), conduct a review prior to extending the contract. Per 35.017-4(c), part of the review should include the following:
- (2) Consideration of alternative sources to meet the sponsor’s needs.
- (3) An assessment of the efficiency and effectiveness of the FFRDC in meeting the sponsor’s needs, including the FFRDC’s ability to maintain its objectivity, independence, quick response capability, currency in its field(s) of expertise, and familiarity with the needs of its sponsor.
- (4) An assessment of the adequacy of the FFRDC management in ensuring a cost-effective operation.
According to the government run Defense Acquisition University, an “FFRDC’s performance of its tasks requires that a special relationship exist between the FFRDC and its sponsor.” That list largely mirrors the above but includes one more:
- Adaptability – ability to respond to emerging needs of their sponsors and anticipate future critical issues;
This is essentially a well-defined list of how MITRE is not properly running the CVE program and why they are coming up short, failing the world over when it comes to vulnerability intelligence. There have been many cases historically of MITRE not being perceived as objective, and the pattern continues to this day.The comment from Patrick Garrity reminds us that MITRE does not have a “quick response capability” with researchers waiting days, weeks, months, even years to receive a CVE ID assignment. It would take a separate series of articles to cover why MITRE and the CVE team leads arguably do not have expertise in the field of vulnerability database management. I say this as someone who has managed a VDB in one form or another since 1993. Despite the topic being discussed on the CVE Board as far back as 2017, it wasn’t until 2024 that MITRE finally adopted a policy regarding assignments for cloud/SaaS vulnerabilities. That does not meet the criteria for “adaptability” and anticipating “future critical issues”.
Finally, cost-effective operation is a consideration and one that MITRE has failed since early in the program. Between 2004 and 2005, MITRE received almost five million dollars to run the CVE program, a figure that was baffling at the time. A community driven database at the time, OSVDB, was able to catalog far more vulnerabilities and do it for a tiny fraction of the cost. Jump to between 2024 and 2025, and that funding jumped to a staggering 29 million. Jerry Gamblin did some math to determine that “MITRE received $664.01 for each of the 43,625 CVEs published during the contract period.”
As someone who has worked on a commercial VDB since 2011, I can assure you that a superior database can be run for a tiny fraction of that cost. Based on MITRE’s performance and CVE funding, I believe the Government Accountability Office (GAO) must ask two questions, “Is MITRE meeting the requirements of being an FFRDC running a vulnerability database?” and “Is an FFRDC even required in 2026 when there are higher performing commercial / contracted alternatives?” The GAO is the agency tasked with investigating “fraud, waste, abuse and mismanagement” after all.
Leave a Reply