House lawmakers are pushing for reforms of the troubled Common Vulnerabilities and Exposures program that has been overwhelmed by bugs and security flaws.
The CVE program is a list of publicly known cybersecurity vulnerabilities that is managed by the MITRE corporation. The proposed changes come after reports that the Department of Homeland Security-backed program was unable to keep up with the demands for its work.
A House investigation into the program’s delays are ongoing, but the lawmakers’ letter is an insight into the criticized list.
The vulnerabilities program should be given a permanent line item in the Department of Homeland Security’s budget, the lawmakers wrote, as opposed to the current contract-based funding model.
“Funding this key cybersecurity program through piecemeal, short-term contracts does it a disservice,” the Aug. 27 letter from four lawmakers said. They also suggested biennial reviews of the program to monitor effectiveness.
The lawmakers said their investigation has received no evidence that the Department of Homeland Security or MITRE ever conducted an analysis of the vulnerability exposure program’s effectiveness.
The program has long faced challenges. There have been alleged months-long delays in getting bugs identified and published.
In 2013, the CVE list’s former editor, Steve Christey, wrote a stark warning about the program’s troubles in an email.
“We are not well-prepared to handle the full volume of CVEs for all publicly disclosed vulnerabilities, so we worked with the CVE Editorial Board to define the highest-priority,” the email read in part.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.