Technology

69109 readers

3083 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

789

CVE Board members launch the CVE Foundation, a dedicated, non-profit to continue identifying vulnerabilities, after the US ended its contract with Mitre (www.thecvefoundation.org)

submitted 6 days ago by Tea to c/[email protected]

44 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 10 points 6 days ago (1 children)

That's good, I guess, but decentralize it. It's a tool used globally with global ramifications, so other countries should be able to run their own instance of it. That way, if an instance goes down, nobody else is left without it.

Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.

Hopefully that includes decentralization on the roadmap.

[–] [email protected] 47 points 6 days ago (2 children)

Decentralizing a foundation such as CVE would do more harm than good. For things like git or the fediverse it makes perfect sense, but the last thing I want something like the CVE to be is fragmented. We need a single source of truth for this.

Now setting up a non-profit foundation and cutting dependence with governments is a good thing, but it’s not the same as decentralized.

[–] [email protected] 25 points 6 days ago

This, exactly.

The whole point of CVE is to make sure everyone is on the same page regarding exploits. That necessitates a single point of truth for the whole operation.

[–] [email protected] 4 points 5 days ago (4 children)

We need a single source of truth for this.

So distribute it, like DNS. Have the CVE Foundation be the final authority, but relying solely upon them makes me uneasy.

The CVE Foundation might currently be independent from the US government, but that doesn't mean they're not still subject to its whims. I think people underestimate just how awful things are or could get here, and "why is the government doing that stupid/heinous/bizarre thing" has become a daily mantra for many.

CVE needs better protection from hostile governments, and distributing the system seems like the only way to achieve that

[–] [email protected] 10 points 5 days ago* (last edited 5 days ago)

That's long since been the case, e.g. the Linux Kernel assigns its own CVE numbers, they're a CNA. Which keeps the "root" CVS database completely out of the loop short of saying "this here is your namespace and scope". Canonical is a CNA, Airbus is a CNA, both covering their own products. 453 in total.

Still important to have a fallback though because not all projects are big enough to do that kind of stuff, and you always want there to be some database you can report something against.

[–] [email protected] 9 points 5 days ago

There is some distribution of effort/expertise at least:

When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.

https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/

[–] [email protected] 6 points 5 days ago

I think you might be overestimating how complex the system is. This isn't collaborative, and it's barely even dynamic. It's essentially bookkeeping around a list of numbers and a zip file of text documents.

https://github.com/CVEProject/cvelistV5/archive/refs/heads/main.zip

The reporting of the issues is already done by other people, they just rely on a central group to keep the numbers from colliding.

https://www.cve.org/CVERecord?id=CVE-2025-3576

Not a whole lot there.

Significantly more worrying is the nvd.

https://nvd.nist.gov/vuln/detail/CVE-2025-31161

There's additional data attached relating to not just the vulnerability, but exploitation and the system configuration that's known to be exploitable.

Up until now it was benign, as well as entirely unavoidable, for so much of the infrastructure of the Internet to be closely tied to the US government.

[–] [email protected] 2 points 5 days ago (1 children)

Distribution, decentralization… those ideas only serve to add unnecessary complexity to a sensitive and critical infrastructure. Instead of tweeting the baby with the bathwater, let’s work toward making these institutions not rely on or be beholden to governments. Anything else is a poor man’s Band-Aid to the problem.

FWIW, I agree with your concerns, but not the proposed solutions. Regardless, these are the types of discussions we all should be having for our critical infrastructure.

[–] [email protected] 1 points 5 days ago

let’s work toward making these institutions not rely on or be beholden to governments.

I don't see how that's possible unless you use a system that's resistant to governments (or moneyed interests). And the only systems like that are effectively outside their government's power or jurisdiction. Otherwise, the right mix of ambitious or greedy people could eventually cause it to crumble.

Did you have some other kind of system or plan in mind?