Global master list of software bugs dodges DOGE axe

The radical funding cuts unleashed by the US administration nearly jeopardised a critical global database of computer code bugs on Wednesday, before a last-minute reprieve that experts say averted what would have been a major blow to global cybersecurity efforts.

The Common Vulnerabilities and Exposures (CVE) database is the digital equivalent of an international disease registry but for computer software vulnerabilities. On Tuesday, a leaked internal letter to the board of MITRE Corporation, which manages the database, warned it was at risk of halting operations as the administration had not renewed the annual contract. Over the next 24 hours, the cybersecurity community and tech industry braced for a worst-case scenario until an eleventh-hour announcement that funding was renewed.

Late on Wednesday, the cybersecurity and infrastructure security agency (CISA), the federal agency responsible for improving cybersecurity across all levels of government and critical infrastructure, said in an email to HT that the CVE program “was invaluable” and there would be no interruption. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” an agency spokesperson stated in the email.

A person aware of the matter, who asked not to be named, added the renewal is for 11 months.

The database been managed by the MITRE Corporation since its inception 25 years ago under contract with department of homeland security (DHS). The database catalogues flaws in software by virtually all major vendors, collating what are known as “bug reports” from individual researchers, threat intelligence firms and the developers themselves. Its bulletins are routinely relied upon by government agencies, including India’s Computer Emergency Response Team (Cert-In), to issue critical advisories to private companies and government agencies.

The last-minute rescue came following widespread alarm, with experts pointing to similar chaos in other critical agencies such as the National Nuclear Security Administration, where up to 350 employees were asked to return after being abruptly laid off as part of aggressive government spending cuts.

Yosry Barsoum, the vice president and director of the Center for Securing the Homeland at MITRE, confirmed the reprieve and said “thanks to actions taken by the government”, a break in service has been avoided. “CISA identified incremental funding to keep the programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours,” he stated in an email to HT.

The CVE system is essential to global cybersecurity operations, providing standardised identifiers that enable coordinated responses across government agencies, security vendors, and private companies worldwide.

For instance, when Apple announces it patched a critical flaw that could let hackers access photos, or Microsoft releases an urgent update to block ransomware, they’re referencing vulnerabilities catalogued in this database. It works like a universal medical system for software -- each security flaw gets a unique identifier (like CVE-2016-4655, which enabled the infamous Pegasus spyware to work) -- that allows companies worldwide to coordinate their responses, develop patches, and protect billions of devices simultaneously.

Even a temporary disruption of its services can hamper efforts to protect critical systems from emerging threats.

Experts described the possibility of cutting MITRE’s funding as “taking off your seatbelts and turning off your headlights while driving in the dark.” “The criticality of MITRE’s work is hard to overstate. It is the most comprehensive repository of vulnerabilities by far and anyone who has anything to do with securing digital infrastructure relies on it,” said Divyam Nandrajog, lawyer and cybersecurity strategist, who added that it appeared similar to the controversy with the nuclear agency.

Nandrajog explained the CVE database goes beyond being collection of information, its precision is critical. “When someone discovers a bug, how does one tell if it has not been catalogued before? How do two people know they are not looking at the same problem,” he said, adding that the loss of such a system would not just leave information in silos but also mean that if someone does fix a crucial flaw, that “information too will not spread or be capable of immediate use for lack of common understanding.”

USAspending.gov records showed the federal contract for the CVE program, worth $44.6 million and funded primarily through the DHS, ended on April 16.

The contract troubles came amid significant funding cuts driven in part by tech tycoon Elon Musk’s DOGE, or department of government efficiency. According to an April 3 news report by Virginia Business, MITRE announced 442 layoffs in its Virginia headquarters by June after the cancellation of $28.5 million in federal contracts by DOGE.

Despite the 11-month extension, questions remain about the long-term future of the CVE program. In apparent preparation for potential future funding issues, a newly formed non-profit with breakaway members of the MITRE Board announced its formation as the CVE Foundation. It stated in a press release the foundation is “a coalition of longtime, active CVE Board members” that “have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation.”

The press release describes the move as addressing “longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.” However, the announcement provided no specific timeline for when the foundation would be fully operational or how it would be funded.

Nandrajog said there had been no concerted efforts until now to ensure such a critical service does not rely on a one government for funds. “These conversations certainly make sense now. It’s not good to have all your eggs in one basket.”

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, identified as an officer of the Foundation, in the statement.