What is MITRE and the CVE program?

MITRE (not an acronym, as some may think) serves as the CVE Editor and Primary CNA (CVE Numbering Authority), managing the CVE program, which is a widely adopted standard for tracking newly discovered vulnerabilities using CVE Identifiers (CVE IDs) assigned worldwide. 

The non-profit organization's role is crucial in enabling security teams to share information through advisories, vulnerability databases, and other resources using a standard reference system, avoiding confusion and facilitating coordinated cataloging of new vulnerabilities.

The CVE program, a 25-year-old initiative, is a global standard for identifying, defining, and cataloging publicly disclosed security vulnerabilities using CVE IDs. It is an important tool for vulnerability management, with over 274,000 CVE records listed to date.

If this program ends suddenly, for instance by no longer issuing CVEs, or shutting down servers and CVE Numbering Authorities' CVE API access, this would mean that the industry would be left without a standardized way to track new security issues.

What about the NVD?

The scare around MITRE comes a little more than a year after problems were reported with the NIST National Vulnerability Database (NVD), a US government repository of standards-based vulnerability data, when it hadn’t been updated for several weeks.

While MITRE focuses on identifying and cataloging publicly disclosed CVEs, the NVD enriches the CVE data with patch availability and severity scores, providing further essential information for in-depth vulnerability analysis.

Both the MITRE CVE program and NIST NVD are extremely valuable resources to the cybersecurity community, and both have shown signs of instability.

What would happen if MITRE or NVD were terminated?

If the CVE program was terminated, there would no longer be a global standard for naming and numbering newly discovered vulnerabilities, which would severely hinder the ability of security researchers and software vendors to quickly identify and address these threats. Similarly, a backlog of CVEs awaiting enrichment in the NVD could mean that critical information about vulnerabilities, such as their severity and potential impact, is not readily available to users. 

Since many commercial vulnerability management tools also rely on the CVE program and the NVD as data sources, this would mean that their ability to detect and prioritize vulnerabilities could be affected.

‍

Future proofing: Industry collaboration is needed

These issues underscore the need for increased investment in cybersecurity infrastructure and the importance of collaboration between government agencies, industry partners, and the open-source community to ensure the continued effectiveness of vulnerability management programs. With the increase in technologies and services, it's increasingly important to be fast and accurate when disclosing vulnerabilities to quickly reduce the attack surface.

As an open-source contributor, Mondoo is committed to help advance vulnerability initiatives, analysis, and resolution. We have championed policy as code as well as our open-source security scanner cnspec, which democratizes access to automated vulnerability discovery and helps companies quickly remediate. We will take an active role in community efforts to decentralize global vulnerability standards and reporting.

‍

‍

‍

Would Mondoo be affected by a MITRE or NVD shutdown?

Mondoo does not only rely on NVD or MITRE data for detections. Instead, we source the vulnerabilities and advisories from vendors ourselves. This means that even if MITRE and NVD would shut down, our customers will still continue to receive security updates and vulnerabilities through Mondoo, leveraging our other sources and advisories. Additionally, we enrich these findings with exploit maturity, exploit prediction (EPSS), and known exploits to accurately prioritize important findings.

About Mondoo

Mondoo identifies, prioritizes, and addresses vulnerabilities and misconfigurations in your entire IT infrastructure and SDLC from a single interface — covering on-prem, cloud, SaaS, and endpoints. Unlike siloed approaches, Mondoo enables you to quickly understand your most urgent risks and initiate fast remediation, ensuring optimized security efforts and significantly improving security posture. 

To learn more about the Mondoo platform, please contact us.