Yeah, this was going to happen regardless of the US.
> The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.
There's no particular reason a vulnerability database needs to be government-sponsored, and some compelling reasons why it shouldn't be "owned" by one government or another (one being guaranteed continuity even during seasons of change).
Well it certainly did falter (but not cease) due to incompetent leadership and guidance. We are seeing it throughout the government because the primary goal of this administration is to dismantle so that it can be reformed for their benefit.
It's more of a "break fast and move things" approach.
The EU Cyber Resilience Act, which is now in effect (but not fully enforced until 2027/2028), has additional details and also includes a reporting requirement (articles 14, 15, and 16).
>>>and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.
You mean the 24 hour period where people freaked out and assumed things that weren't true? The renewal came down to the wire just like most do during negotiations...MITRE tossed the news out there to stir up concerns but it was all just sensationalized. A "funding lapse" is not the same as "contract not renewed yet"...
"This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database." [1]
Doesn't seem like an untrue assumption. Feds decided not to renew the contract, people got upset, and later the feds decided to renew the contract the night it would expire [1].
This is like saying Y2K is a nothingburger because people updated the code to handle more than 2 digit years. It's because of the people getting upset that triggered a preventative measure preventing the problem. It's just the superman movie [2], if the kid just listened to clark kent then superman would've never been necessary.
Review Peter Allor's comments...struggles on who pays and who should be the long term controller of this program was what led to the push right up to the last minute. As usual in government if you don't push hard enough nothing will change...and I still see nothing from CISA regarding their views on what happened...all we see is conjecture from MITRE and joy because they got their $$$.
I’m very torn. Obviously USAID, NSF and academia in general do valuable things. But when organizations get hijacked and used as a slush fund to fund naked ideological activities and organizations barely related to the original purpose, I’m not surprised when the eventual response is to just hack and slash. I wish it was done more thoughtfully and carefully, but that doesn’t appear to be a choice. Just a choice of funding hostile NGOs and academics who endorse discrimination in education, employment, health care and even law nowadays or the current mess. It all sucks and I don’t have any solutions other than focusing on my career and family.
I haven't seen any reasonable evidence on this. I'm not saying that evidence doesn't exist, it's just everything that I've heard so far as been debunked. The current administration has been shown to lie and exaggerate over and over to justify these actions so I don't know why anyone would assume they're telling the truth about this.
"Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative."
This is a weird headline, because CISA did in fact end up funding NVD.
I wish people cared less about this particular issue, though, because we'd do fine with a non-government-sponsored CVE.
Yeah, this was going to happen regardless of the US.
> The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.
Quite so. I would love to see an open sourced CVE database. It is for the public, it should be by the public.
What do you mean? A government service is a public service, by any conventional use of the term. Public/private is orthogonal to open source.
Community-maintained might be a better phrasing.
There's no particular reason a vulnerability database needs to be government-sponsored, and some compelling reasons why it shouldn't be "owned" by one government or another (one being guaranteed continuity even during seasons of change).
Well it certainly did falter (but not cease) due to incompetent leadership and guidance. We are seeing it throughout the government because the primary goal of this administration is to dismantle so that it can be reformed for their benefit.
It's more of a "break fast and move things" approach.
Nothing broke beyond perception. It’s still operating roughly as before right?
Yes, but who in industry is going to expect it to be there in the future given what the current administration is doing?
MITRE could just take the existing database and pass a hat around to industry and keep the current program going.
The is from a 2022 EU directive, well before recent US government actions, it's been developed for quite some time.
TFA doesn't hide or sensationalise that, makes the point that it's timely.
The EU Cyber Resilience Act, which is now in effect (but not fully enforced until 2027/2028), has additional details and also includes a reporting requirement (articles 14, 15, and 16).
>>>and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.
You mean the 24 hour period where people freaked out and assumed things that weren't true? The renewal came down to the wire just like most do during negotiations...MITRE tossed the news out there to stir up concerns but it was all just sensationalized. A "funding lapse" is not the same as "contract not renewed yet"...
"This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database." [1]
Doesn't seem like an untrue assumption. Feds decided not to renew the contract, people got upset, and later the feds decided to renew the contract the night it would expire [1].
This is like saying Y2K is a nothingburger because people updated the code to handle more than 2 digit years. It's because of the people getting upset that triggered a preventative measure preventing the problem. It's just the superman movie [2], if the kid just listened to clark kent then superman would've never been necessary.
[1]: https://www.theregister.com/2025/04/16/cve_program_funding_s...
[2]: https://youtu.be/-ikd_hRnVR4?t=69
Review Peter Allor's comments...struggles on who pays and who should be the long term controller of this program was what led to the push right up to the last minute. As usual in government if you don't push hard enough nothing will change...and I still see nothing from CISA regarding their views on what happened...all we see is conjecture from MITRE and joy because they got their $$$.
It's sad to see the US being dismantled from within.
I’m very torn. Obviously USAID, NSF and academia in general do valuable things. But when organizations get hijacked and used as a slush fund to fund naked ideological activities and organizations barely related to the original purpose, I’m not surprised when the eventual response is to just hack and slash. I wish it was done more thoughtfully and carefully, but that doesn’t appear to be a choice. Just a choice of funding hostile NGOs and academics who endorse discrimination in education, employment, health care and even law nowadays or the current mess. It all sucks and I don’t have any solutions other than focusing on my career and family.
> But when organizations get hijacked
I haven't seen any reasonable evidence on this. I'm not saying that evidence doesn't exist, it's just everything that I've heard so far as been debunked. The current administration has been shown to lie and exaggerate over and over to justify these actions so I don't know why anyone would assume they're telling the truth about this.
I'm out of the loop, can you give some context as to what you're talking about? What were they funding?
Is it though? pass the popcorn
For most sane people, yes.
If European leaders were quick on their feet and smart, they would be dialing up the "brain-draining" of the US to 11.
What would that look like? I imagine most Europeans don’t want to recreate the United Stated and its personality in their countries, for example.
And many countries already have relatively easy visa processes for skilled workers, which would be what these scientists, developers, etc are.
Importing a bunch of scientists wouldn't 'recreate the US'. A decent number of the scientists are probably not originally from the US anyway.
It'd involve spending money to sponsor research and clear a path for people to come over. Make it really easy.
The brains are not the problem in this scenario.
Fast-tracked citizenship.
They kinda did already
https://arstechnica.com/science/2025/05/europe-launches-prog...
Not a massive program, but shows there is intent
"Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative."
https://en.wikipedia.org/wiki/Washington_Monument_syndrome