The government will continue funding the Common Vulnerabilities and Exposures (CVE) program. In a statement to The Verge, US Cybersecurity and Infrastructure Agency (CISA) spokesperson Jared Auchey said it “executed the option period on the contract to ensure there will be no lapse in critical CVE services” last night.
At this point … what stops the CVE foundation moving on as a foundation and working to find an alternative funding model?
Nothing. They should do exactly that. As usual the US government has proven that it cannot be trusted or relied on.
So… the US government doesn’t have to fund it anymore? So that is an advantage for them in this situation, what is the disadvantage? Or was that their goal all along?
Usually the goal when funding stuff like this is to buy some influence to control major decisions. I wouldn’t put it beyond an independent foundation, to take just one example, to drastically reduce the deadlines between confidential disclosure and public release where some government or corporate controlled organization might set some that are more made for the slow speed of large org bureaucracy.