In response to MITRE’s announcement that it will take the CVE database (namely, Common Vulnerabilities and Exposures) offline due to the termination of financial support from the US government, eco Board Member Klaus Landefeld says: “From our point of view, it is very regrettable that the US government is abruptly cancelling funding for MITRE’s CVE project. The CVE is an important cornerstone for the security of software and products that companies around the world rely on.”
The eco – Association of the Internet Industry therefore supports rescue initiatives such as the CVE Foundation, which has brought forward its long-planned establishment and intends to operate independently of government funding in the future. Landefeld emphasises that the uninterrupted safeguarding of the CVE system is of inestimable importance for the information security of eco’s member companies. “We hope that the transition phase will be as short as possible and free of major incidents, and that the US authorities will liaise closely with MITRE on the design of this transition phase and potentially find a transitional arrangement,” Landefeld goes on to say.
The association fears that shutting down the database could become a significant challenge for companies and public administration. “Appropriate measures are already being prepared. However, some of these relate to the CVE project and will therefore come to nothing or require significantly more time to become effective,” explains Landefeld.
For eco, cybersecurity is primarily a joint responsibility that can only be ensured if companies, governments and users all contribute according to their capacities, possibilities and mandates. The identification and elimination of security vulnerabilities in software and IT products is a crucial factor for trust and security on the Internet. The CVE project has created a globally unique database that catalogues these security vulnerabilities and has thus given companies the opportunity to take systematic action against them. The loss of this database leaves companies uncertain as to whether their security gaps are already known elsewhere and being addressed. Relevant projects at the EU security agency ENISA have already been initiated but will still require several more months before they become effective.
