Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding

On Monday, the Energy and Commerce Committee sent letters to MITRE Corporation and the Department of Homeland Security (DHS), recommending some needed changes to the troubled CVE program.

Bottlenecks, coverage gaps, and frustration:

In 1999, MITRE created the CVE database as a means of standardizing the naming convention of disclosed vulnerabilities. However, as Salted Hash reported in 2016, the program has faced several problems, including coverage gaps and bottlenecks.

Moreover, researchers were frustrated by the program, due to the fact it could take several weeks or months to get a CVE assigned, assuming their reports and communications were answered at all. Further, the Committee’s investigation found, some vulnerabilities were rejected outright, as they were viewed as being out of scope.

MITRE attempted to solve some of the problems by adding CNAs (CVE Numbering Authorities), but that didn’t eliminate the problems between researchers, MITRE, and the CNAs themselves, nor did it eliminate the problem of CNAs issuing CVE-IDs incorrectly.

As our original report discussed, there were more than 6,000 vulnerabilities disclosed in 2015 that didn’t get a CVE-ID, so anyone who relied on CVE to keep informed about risk were missing a chunk of data.

The proposed fix:

Based on FOIA documents obtained in 2006, MITRE gets at least $1.2 million in taxpayer funds out of a total government contract worth $5 million to run CVE.

The Committee’s investigation found that the program has received 37-percent less funding year-over-year between 2012 and 2015, but gained a significant funding boost in 2016 ($4 million).

In their letters, the Committee members suggested that this process be changed, urging DHS to transition the CVE program from a contract-based funding model to a PPA (Program, Project, or Activity) line item in the DHS budget.

The second suggestion centers on MITRE, and the need to conduct biennial reviews of the CVE program.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society. The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request,” wrote Committee members Greg Walden (R-OR), Gregg Harper (R-MS), Marsha Blackburn (R-TN), and Bob Latta (R-OH).

“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence. Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure. Instead, both organizations continued to manage and fund the program through a series of contract which themselves were unstable. This approach was perhaps to be expected given that neither organization, according to produced documentation, performed the level of oversight needed to ensure the program continued to fulfill its purpose and meet stakeholder needs.”

The hope is that by making the CVE program a PPA rather than a contract award, the CVE program’s goals will no longer be dominated by short-term projects, and with stable funding the CVE program itself could be improved.

The reviews will be critical though, because a lack of them has “allowed small problems to fester and morph into the kind of entrenched problems” that were noted by the Committee when it began its investigation, and those reported by Salted Hash in 2016.

MITRE and DHS have until September 10, 2018 to brief the Committee about the recommendations made. Salted Hash has reached out to MITRE for comment and will update this story should they respond.

Edited on 9/6/18 to correctly state the response date. -SR