If there are any Europeans here, I'd love to make my vulnerability database that's accumulated from all linux security trackers and the CVE/NVD open source if I can manage to find some folks who'd help with maintenance.
Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.
Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.
Gonna need some sleep now, it's morning again.
My project criteria:
- hosting within the EU
- must have a copyleft license (AGPL)
- must have open source backend and frontend
- dataset size is around 90-148 GB (compressed vs uncompressed)
- ideally an e.V. for managing funds and costs, so it can survive me
- already built my vulnerability scraper in Go, would contribute it under AGPL
- already built all schema parsers, would contribute them also under AGPL
- backend and frontend needs to be built
- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN
- needs submission/PoC/advisory web forms and database/workflow for it
- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)
If you are interested, write me on linkedin.com/in/cookiengineer or here.
Ucalegon 2 hours ago [-]
The EU should just buy MITRE. Move it to the EU and make it a EU based project.
elric 16 minutes ago [-]
I don't think the EU has any interest in this. They've been aware of the risk of relying on the US for software security for years, but AFAIK there have been no efforts to do anything about it. Maybe the current situation will kick some butts into gear ...
Off topic: your username is very appropriate given the situation.
FirmwareBurner 5 minutes ago [-]
>They've been aware of the risk of relying on the US for software security for years, but AFAIK there have been no efforts to do anything about it.
Indeed. Just as Germany knew their economy is vulnerable to Russian gas and did nothing about it, even after the 2014 invasion of Crimea.
I never EVER, saw politicians act proactively for the good of the nation or the people, all they do is act reactively after the shit hits the fan to control public opinion, help their monopoly friends in the private sector and make sure they get re-elected, that's it.
Once you realize our rulers aren't competent at their jobs or acting in our best interest it all makes sense. They're in it for the grift.
jonnybgood 1 hours ago [-]
MITRE is a non-profit. All the EU has to do is reach out to MITRE and be willing to fund the project.
Ucalegon 1 hours ago [-]
I know that they are a 501(c)3, but they have significant revenue and intellectual property, so in order to do the lift and shift, there would need to be some money changing hands to accomplish it. Not only that, but being owned by the EU gives the ability for MITRE employees to have the option to immigrate to the EU to protect against any retaliation.
I cannot believe I am typing that second sentence, but here we are.
bkor 43 minutes ago [-]
> Not only that, but being owned by the EU gives the ability for MITRE employees to have the option to immigrate to the EU to protect against any retaliation.
According to which rule would "owning by the EU" result in an option to immigrate? Immigration is handled on a per country basis. I don't see how the EU provide such an option.
The EU has agreed upon programs in order to bring in, through an immigration policy, high skilled persons from non-member states. More importantly, working within the member nations, as to which member nation would want MITRE to be located within their borders, is not something that is a hard sell given that it has economic advantages for whichever state(s) onboard MITRE.
labster 37 minutes ago [-]
The EU can accomplish it with diplomacy. It’s unknown technology in America, but diplomacy and asking to work together is truly powerful.
Cthulhu_ 58 minutes ago [-]
I think all the big companies that owe their ongoing business should band together and fund it. No way an organization like this should rely on just one sponsor.
panny 2 hours ago [-]
This would be hilarious. That would be a good thumb in the eye to the current administration who complained long and loud about how Obama let ICANN leave US possession. Just imagine the campaign commercials in 2026,
>The POTUS transferred our cyber defenses to the EU
Ouch
rob74 1 hours ago [-]
Well, that's kind of the point? The current administration doesn't care about cyber defense, any less than it cares about protecting the environment, protecting consumers, having top-notch universities and research, foreign aid etc. etc. Actually, it takes pride in not caring about all of these things.
rocqua 45 minutes ago [-]
My guess is that they feel they are supplying something the whole world is benefiting from, and they believe that unfair.
That ignores the fact that the US benefits immensely from this, and that they benefit domestically from providing that benefit more widely by getting a lot of free contributions from the outside. But the US foots the bill of those who do get payed, so its unfair...
fragmede 21 minutes ago [-]
It's so unfair that I have an great job so I can treat my friends to dinner all the time! I hate being rich.
Ucalegon 51 minutes ago [-]
Not to mention the administration aren't going to be held accountable for, or actually be impacted by, the harms that come for their actions.
delulucrew 1 hours ago [-]
[dead]
tecleandor 11 minutes ago [-]
(Spain, doing storage and web hosting)
What usually worries me the most is the administrative or management part, which I don't know how big would be for this project...
weinzierl 3 hours ago [-]
Try to talk to the people from the Sovereign Tech Fund, they have a history of sponsoring security relevant projects in the EU.
jauco 3 hours ago [-]
And maybe the sidn fund?
decide1000 3 hours ago [-]
Nlnet for opensource
Sander_Marechal 28 minutes ago [-]
Yes, maybe reach out to Michiel Leenaars from the NLNet foundation. But IIRC NLNet mostly funds shorter development tracks, not ongoing upkeep/maintenance.
f_devd 3 hours ago [-]
Maybe something to bring up to one of these e.V.'s if it ends up being difficult to get started: Codeberg.org, nlnet.nl, ccc.de
I’m interested to help! I added you on LinkedIn, so will message there after you accept. :)
wustus 1 hours ago [-]
Depending on deployment strategy I could help with Kubernetes stuff.
goodpoint 31 minutes ago [-]
There are already many security trackers, why writing a new one? The issue is paying people to handle the advisories.
juicyyy 2 hours ago [-]
Im also interested in helping
greenRust 3 hours ago [-]
Great idea. I'm interested in helping. I'll dm you.
mwe-dfn 21 minutes ago [-]
[dead]
sneak 1 hours ago [-]
The AGPL is a nonfree (and nonsensical) license.
There’s nothing wrong with normal GPL.
lifthrasiir 1 hours ago [-]
Is there a non-free license approved by FSF and OSI and compatible with DFSG?
1 hours ago [-]
4ndrewl 2 hours ago [-]
To the "I wish HN would stay out of politics" crew.
You can stay out of politics, but politics will always come and find you.
belorn 2 minutes ago [-]
I view the archive.org, Wikipedia, CVE program, and Linux Kernel to all have had discussions on HN about how to they should be funded. Is that kind of politics the kind that people wish that HN stayed out from?
h1fra 16 minutes ago [-]
HN and founders will say "no politics here" on the regulated internet, drinking regulated water, eating regulated food, breathing regulated air.
dmckeon 51 minutes ago [-]
People trying to ignore politics are like fish trying to ignore water.
strogonoff 26 minutes ago [-]
Not talking about politics is itself a political position (in favor of status quo).
stingraycharles 21 minutes ago [-]
Depends. We’re a small, very international startup and have a super strict “no politics” policy. Politics and work are not a good combination when you’re employing people from all over the world.
But I would not consider it a political statement to adopt this policy.
noelwelsh 7 minutes ago [-]
Your statements are incoherent. Politics is decision making and power relationships within groups of people. It is 100% a political statement to adopt this policy as it exercises power over a group. You cannot function as a group without politics. "Where do y'all want to go for lunch" is also politics, as it involves group decision making and power relationships (Do you go to the vegetarian place? Do you avoid the spicy place?). If what you want is a "don't piss off your coworkers by discussing topics unrelated to work that you know will annoy people" policy, that is fine, but don't pretend you are not engaging in politics.
t0lo 2 hours ago [-]
Everything is political now by design. It's meant to reach into every facet of society and community and restructure it.
Braxton1980 1 hours ago [-]
Everything was always political. Laws, the economy, conflcit. How is any person not affected by these? The government is responsible for all or a large part of how a country functions.
People who say "I'm not political" are deflecting to avoid conflict
InsideOutSanta 9 minutes ago [-]
One of the benefits a working democracy conveys to its citizens is that they largely don't have to care about politics. They can trust that government action is relatively consistent over time, that laws will be enforced fairly enough, that their property will be protected to a reasonable degree, that the currency will be reasonably stable, that the roads will be maintained, that some public transport will be available, that sudden wars won't erupt around them, and so on.
That's what makes working democracies successful. But it seems that it also makes democracies vulnerable because people don't realize they have these benefits because they live in a working democracy. They start to think these benefits have nothing to do with politics and are just the way things are, like the laws of nature.
juliendorra 1 hours ago [-]
Alternatively people who say “I’m not political” are benefiting from the status quo and political direction of things (long term, not necessarily short term). They frame inaction as apolitical.
darkwater 1 hours ago [-]
> People who say "I'm not political" are deflecting to avoid conflict
A great truth. Even isolating yourself from society like a hermit is still a political decision: you are rejecting society as it is, and prefer to live in your own solo society. That's politics.
computerthings 13 minutes ago [-]
[dead]
perching_aix 1 hours ago [-]
When this is discussed, what's being meant is that everday party politics are spilling out and overwhelming a project's or industry's individual, internal politics, which are often a completely disconnected meta.
Appealing to "well everything is connected" I'm not sure is useful. It's interesting from a semantics perspective the first few times you come across it maybe, then swaps around into being plain frustrating, then lands on just missing the point.
Finally, I think people who want to stay out of said party political meta I think are doing a pretty big favor to their mental health, and I really can't fault them one bit for it. No coincidence either.
t0lo 1 hours ago [-]
I mean I think The Republican Incumbent was chosen specifically as a tool because he is so extreme, pervasive and demoralising and creeps into everything. Definitely by Russia, maybe also by our "friend" in the ME. Although it's not that reported on they are on friendly terms.
Disaffection lends itself easily to creating a Russia-style society. This all feels pretty Dugin-esque, and his proposition (return to values, reject interest/hope in politics because it is always flawed anyway, bind together under the state) fits perfectly, and is finding prominence at the perfect time.
ndr42 36 minutes ago [-]
What is "ME" referring to?
NikkiA 23 minutes ago [-]
"Middle East" is the usual expansion, and fits in context here.
Cthulhu_ 57 minutes ago [-]
Everything already was, you just didn't recognize it because it was to your benefit / in your interests.
po1nt 25 minutes ago [-]
That's because we got reliant on the funds from government. Maybe it's time to break the dependency.
paganel 40 minutes ago [-]
Agree, but it goes both ways, with technology (that many of us here have helped create and maintain) also reaching out into every facet of society and community, many times in close symbiosis with the political powers that be, to the detriment of said society and community.
Not 100% sure what I wanted to say, maybe that said politics (and the political as a whole) wouldn't have invaded almost our entire lives without the help of technology.
scandox 14 minutes ago [-]
What people mean when they say this is that they don't want to engage in party political and/or tribal political discussions. They don't want to do this because it just means rehearsing talking points.
People are not dumb. They know that politics is everywhere but they want to live and love and talk about things that are interesting.
blueflow 26 minutes ago [-]
The problem is not political topics, it is how people discuss them.
cantrecallmypwd 41 minutes ago [-]
Yep. It's also true of people who think they can simply move out of the US and that "solves" the problem too. America's problems are still (almost) everyone's problems too.
okeuro49 51 minutes ago [-]
"You can stay out of politics, but politics will always come and find you."
No, it's just recognising that it is silly to talk about politics, as certain views are just downvoted.
dhx 6 minutes ago [-]
The latest contract[1] (I hope this is the right one) for MITRE's involvement with CVE and CWE programs was USD$29.1m for the period 2024-04-17 to 2025-04-16 with optional extension of expenditure up to USD$57.8m and to an end date of 2026-04-16.
Seemingly MITRE hasn't been advised yet whether the option to extend the contract from 2025-04-16 to 2026-04-16 will be executed. And there doesn't appear to be any other publicly listed approach to market for a replacement contract.
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
hackyhacky 5 hours ago [-]
> I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
SecretDreams 2 hours ago [-]
> cut everything, recklessly, indiscriminately
Mostly discriminately, tbh.
tmpz22 5 hours ago [-]
Destroy, destroy, destroy. Promise to rebuild but don't. Take it all.
Cthulhu_ 56 minutes ago [-]
Did they promise to rebuild?
If I'm giving them the benefit of the doubt (which I hate), it's a shotgun approach; cut things relentlessly and see what falls apart. Chaos engineering applied to a country and / or the world.
willy_k 41 minutes ago [-]
That’s exactly what it is, and they said as much repeatedly while campaigning. Voters, in their zealotry against the perceived status quo, failed to realize how much of what we have right now you don’t want to cut recklessly, as well as just how reckless the people that they were choosing to do that job were.
watwut 15 minutes ago [-]
There are various glorious futures floating around about how this will make America better, stronger, more independent.
chris_wot 4 hours ago [-]
So much for the wunderkinds in DOGE.
ForOldHack 3 hours ago [-]
Soon to be powned, by their own extreme short sightedness. Duh.
nwatson 3 hours ago [-]
Maybe "they" want to do the pwning with less coordinated resistance. Doing away with CVEs would help with that objective.
wunderkind is a loanword, it's one of those cases of a German word being used but being odd in English since it's so similar.
Like kindergarten which is often speller as "garden".
"tariff as wunderwaffe" often comes to mind these days.
oezi 1 hours ago [-]
Many of these terms originate during the Nazi regime and thus aren't used lightly in Germany anymore.
Other example includes: Endgegner (final boss) or Endlösung (final solution)
I would suggest to avoid such terms.
ben_w 8 minutes ago [-]
> Endgegner
I did not know about this, thanks for die Vorwarnung. In context, I'd assume "ultimate enemy" (Gegner=opponent) as "final boss" sounds videogame.
chris_wot 3 hours ago [-]
Same thing.
drivingmenuts 4 hours ago [-]
Given that the Kids at DOGE are all computer experts, this reeks of a calculated move.
krferriter 3 hours ago [-]
Absolutely not. They are not broadly experts, and they are not making these decisions after careful consideration, as evidenced by their continual acts of stupidity and basic errors and cutting things despite having no idea what it is they are cutting. Musk got in an argument with someone who said DOGE cut funding for a cancer treatment program, and Musk was calling the person a liar, and the person provided evidence and Musk admitted it was an accident. They are a clown car of idiots who vastly overestimate their own knowledge and underestimate how much good the government actually does. They think they can just slash and burn and there will be no negative consequences because they think the government is worthless.
chris_wot 3 hours ago [-]
Until, like Ayn Rand, they actually need the government. Then they'll be complaining how the government doesn't provide services.
riffraff 3 hours ago [-]
My knowledge of Ayn Rand stops at having read a book (and considered it silly), when did she need the government and complained about it?
aaronbrethorst 2 hours ago [-]
Medicare and social security after a lung cancer diagnosis (from being a heavy smoker)
What's funny, and it might be because of the translation, but I first thought her book where all entrepreneurs are hidden away in a sort of parallel country was a dystopian satire and a joke about some people sense of self importance. Then I learned about her (and when the book was written too) and realised her book was to be read as it was written, 'seriously'. Which makes it silly, but a funny story.
chris_wot 3 hours ago [-]
She was an Objectivist. She considered social security to be "legalized plunder". Then when she needed it, she decided to take it.
One of her wonderful worldviews was to rejects altruism as a moral imperative, arguing that individuals should live for their own rational self-interest. Social security, based on the idea of supporting others, contradicts this principle.
Nevermark 2 hours ago [-]
It takes strong and complex social glue to create a place where millions can safely follow their own self-interest.
Which means anyone whose wisdom matches their self-interest is going to understand that different things have very different efficiencies at different scales.
And some things happen to be dramatically more efficient/person and more effective, the larger the scale they can be coordinated at.
InsideOutSanta 5 minutes ago [-]
>It takes strong and complex social glue to create a place where millions can safely follow their own self-interest.
This exactly. All of these people who profess to believe in objectivism could easily move to a failed state and do anything they want to with zero government intervention. But they don't do that. They want all of the benefits of a working government with none of the things required to actually create a working government.
jay_kyburz 2 hours ago [-]
It is in your self interest to have a strong social safety net, because one day you might need it too.
ndsipa_pomu 1 hours ago [-]
Also, even if you don't need it yourself, it's far nicer to live in a society where people's basic needs can be met otherwise we end up living in some kind of Mad Max apocalyptic wasteland where people with nothing and nothing to lose roam the country looking for targets.
yowzadave 3 hours ago [-]
They are clueless kids at their first job, following the orders of their hero. You think they’ll resist when the boss tells them, “cut everything”?
shakna 57 minutes ago [-]
No. [0] I wouldn't say they are computer experts. [1][2]
I think expert is not the right word for what looks like mostly rookies.
chris_wot 3 hours ago [-]
They've done their degrees and masters in Computer Science, and many of them dropped out. But they focused on AI, so I'm assuming this makes them great at statistics, but does this mean they are great at security? Given the way they've gone through a variety of departments, I'd say they aren't.
The DOGE crew are incompetent. Witness their firing of all the people who look after the nuclear stockpile and Ebola research.
cantrecallmypwd 4 hours ago [-]
Vampire capitalism. They want civilization to break down so they can offer a solution for profit. The enemies of all people and life on the planet are a tiny group of oligarchs and their supplicants.
01HNNWZ0MV43FF 4 hours ago [-]
Not unlike the manga Berserk
CamperBob2 4 hours ago [-]
This isn't capitalism, any more than arson, burglary, or extortion is capitalism. Get some new material.
Nevermark 2 hours ago [-]
I agree, given the right definition of “capitalism”.
Unfortunately “capitalism” has two quite different meanings. Which are rarely clarified in use.
Capitalism with a big C, a too common overarching ideology, gets bent to mean whatever the greedy, unethical and rich want it to mean so they can get more money.
But small c capitalism, evolving from both practical and ethical foundations, is a system so useful it has multiplied the benefits of civilization. But it is just one such system.
It can’t do everything, it needs other independent systems (justice, dispute resolution, rules of clarity, risk & trust limiting systems, for starters) to work, and extending it to places it doesn’t work causes great harm.
(Like when perversely applied to those enabling systems, in big C form, as is happening now.)
tigerBL00D 3 hours ago [-]
To be fair, we don't yet know how capitalism ends.
roughly 1 hours ago [-]
> any more than arson, burglary, or extortion is capitalism
Indeed.
Spooky23 4 hours ago [-]
No, we’re in a middle of a coup. Palantir or some other odious company will get paid 100x more to do something.
ozim 32 minutes ago [-]
People will not submit vulns as happily to such business.
Most of vulns will go unaddressed because company like palantir will most likely want only really good vulns like 0-click RCE.
cavisne 4 hours ago [-]
MITRE has a trademark on the term CVE.
pjmlp 3 hours ago [-]
As if laws have any meaning to this administration, and anyone expecting this will only last four years instead of turning into one of those countries so much admired by the captain at the helm, is fooling themselves.
When the citizens realise this, the structures to clamp down any revolution will be in place.
transcriptase 4 hours ago [-]
[flagged]
overfeed 2 hours ago [-]
> "kill it, we don't need this"
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
epistasis 4 hours ago [-]
Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
mmooss 4 hours ago [-]
> Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
watwut 6 minutes ago [-]
No, blaming "someone inside DHS" is what makes no sense. It 100% makes sense to blame DOGE and actual perpetrators. You can stop them only if you start to blame those who do the stuff you dont like instead of blaming everyone else except them.
epistasis 4 hours ago [-]
DOGE is doing this, it's not a "scapegoat", and Trump is not going to negotiate anything here, that's ridiculous.
What leverage do you have for the DOGE boys? What power? Resigning? Because on the Defense side of the government the best leverage that some teams have found is mass resignation, meaning that nothing happens.
There is no negotiating with bullies, it merely breeds more concessions.
mmooss 4 hours ago [-]
> DOGE is doing this, it's not a "scapegoat", and Trump is not going to negotiate anything here, that's ridiculous.
DOGE follows Trump's direction and acts on his behalf, as you must know. They make a big deal out of DOGE so Trump's name is less attached to these actions. Then they can take much of the blame with them when they go away, with Trump and the GOP blaming them for 'excesses'.
> Trump is not going to negotiate anything here, that's ridiculous.
> What leverage do you have for the DOGE boys?
You don't understand how negotiations work. Everyone has interests, strengths and weaknesses, and power. You need to make it in Trump's interest to keep the CVE program.
Everyone saying they are helpless, and that anything else is ridiculous, are panicking. Very unfortunately - dangerously - many people legitimize the panic. It's so normalized that it's "ridiculous" not to panic.
Every day you continue this behavior, you fall further and further behind and lead others in that direction. Will you wake up in time?
figgis 3 hours ago [-]
Currently the "discussion of leverage" you are talking about is out of the hands of the leaders who run these programs.
The amount of disrespect you have shown for someone that is just telling you 99% of federal workers have absolutely no leverage says a lot.
stavros 1 hours ago [-]
Isn't the US supposed to be the birthplace of modern democracy? When did you guys forget about protests and rallies?
SpicyLemonZest 41 minutes ago [-]
It's just not practical to organize a rally to save a niche cybersecurity program. People are busy protesting to protect Medicaid and keep themselves out of foreign gulags, they can't divert the attention to CVE.
throitallaway 3 hours ago [-]
> You need to make it in Trump's interest to keep the CVE program.
This guy is ~80 years old and bragged about "person, woman, man, camera, TV." He recently got into a Tesler and exclaimed "everything's computer!" Have you seen the way his aids explain executive orders to him (like a child) before he signs them?
He doesn't have the foggiest notion of comprehension of what the CVE program is, or how it would benefit him. Unless you're greasing his wheels, it's not going to happen.
1oooqooq 1 hours ago [-]
he sure understand two things.
one it costs the us and is needed by everyone, so he thinks but paying it someone will pick it up and then the us will be the free loader.
second, he understands that helps he and his pals wash dirty money.
djur 4 hours ago [-]
I don't think there's any reason to believe that Trump is mentally competent to understand what's happening here or engage in any kind of meaningful negotiation.
markhahn 3 hours ago [-]
I'm curious by what means you think Trump can be bargained with.
Do you mean things like handsfull of like-minded countries selling t-bonds? No one in the R party has any leverage, and it's not clear that even a few US billionaires could exert any influence.
Do you really think Trump has ever heard of "CVE" or could comprehend them?
chris_wot 3 hours ago [-]
No, it's definitely DOGE doing all of this. Each one of these young fools need to be named and shamed. The level of damage they have done is unprecedented. They will, in their later years, hopefully look back at this time in their life with a great deal of shame and embarrassment.
Wololooo 3 hours ago [-]
I have the feeling that there will be no redemption arc for those ones and the repenting would be for show before a court of public opinion.
I'm going to be to the point here, if you guys over there don't start to heavily push and organise, and I said it already, you're one Reichstag fire away from something very bad, and from my point of view, there is probably one kristallnacht pending in the mix.
This is not a hyperbole and if someone wonders why this has relevance to the discussions, in this case most of the people around here are blue team, and it does feel like the red team has already taken anything that wasn't attached and now taking the time to take what's bolted on...
I guess the silver lining of all this, is in their hubris, they forgot the bread and games motto, so they're might still be a chance to turn things around somewhat... But the window is closing at an impressive speed.
chris_wot 3 hours ago [-]
I'm an Australian. We have a guy called Clive Palmer, who has formed a party called (no joke) the "Trumpet of Patriots". It's certain nobody will vote for him. The opposition leader married himself to MAGA (and close to Trump) and now it appears like this will prevent him from winning.
The rest of the world is mostly against Trump.
throwawaygmbno 2 hours ago [-]
It needs to be the "shame and embarrassment" Nazis felt at the end of WWII and not the traditional shame and embarrassment they are used to feeling after losing the civil war and Jim Crow laws. It will just happen again in a generation otherwise.
Aurornis 4 hours ago [-]
This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on. If you look at the federal budget it's nearly impossible for DOGE to hit their stated goals without touching benefits like medicare and social security (which are off limits so far) so the only option is deep, deep cuts into the narrow slice of the federal budget that excludes those protected categories.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
bruce511 3 hours ago [-]
>>They thought they voted for something different
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
michaelt 25 minutes ago [-]
> Where did they think the cuts were coming from?
When someone hands you a pencil, you don't wonder what variety of tree the wood came from, or what paint chemistry was used for the coating. It's a pencil. You might have broad opinions on whether the one in your hand is comfortable to use, and sharp - but you leave the details to the pencil makers.
About 70% of the population engage with politics the same way: Leave the details to the people who do this stuff for a living.
Do they expect to be disappointed? Sure, but everyone who engages with politics expects to be disappointed.
lolinder 2 hours ago [-]
> In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
This is actually simply not true. The Republican party before the Tea Party looked nothing at all like this. Trump won the presidency last year riding a wave of distinctly not-your-typical-Republican lower class voters. As he rose the old guard Republican establishment formed the anti-Trump wing of the party until they were forced out one by one.
To put some numbers to this: Bush won the upper income brackets by 5+ points in 2000, with a lead that widened as you went up the income ladder. Trump lost the equivalent brackets in 2024 by 5+ points, a 10 point swing away from what Bush won them by. The lower brackets are even more stark, with a whopping 18-point swing towards Trump in the $30k-$50k bracket (inflation adjusted to $15k-$30k).
These numbers show that Trump is not a Republican in the George W Bush sense and he's certainly not a Republican in the Ronald Reagan sense. He's a populist and won on a populist agenda by putting together a coalition of rabid social conservatives (who probably really did go Bush in 2000) and poor people (who largely did not).
sanktanglia 50 minutes ago [-]
You are ignoring that trump rode to power explicitly by enabling the shittest of Republicans that already exist. To try and let republicans off the hook for supporting him, especially a 2nd time? Is hilarious
rat87 1 hours ago [-]
Populism is not an agenda it's a style. Also the majority of poor people voted Democrat, the majority of people with low education levels voted for Trump (which is not the same thing as dumb, although voting for Trump is dumb regardless of PhD or lack of HS diploma). There's overlap between low levels of education and income but if you define class by income then low income people mostly voted Dem
eCa 2 hours ago [-]
> They thought they voted for something different.
They voted for the leopards to eat other people’s faces, not their’s.
ForOldHack 3 hours ago [-]
The ryme is Humpty Dumpty, had a great fall. Now China and Russian security forces step up their relentless attacks. Let's hope the white house falls first.
shakna 4 hours ago [-]
I'd say that the rhyme and reason are quite clear [0]. They published a playbook, and they are implementing it at a record pace.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
They have to find some gumbah to head the security dept,because the best one they had,left in a hurry. Heard he went to Denmark. ( I am really really kidding )
riffraff 3 hours ago [-]
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
sofixa 3 hours ago [-]
> This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
SpicyLemonZest 44 minutes ago [-]
Who knows whether it will happen, but in principle DOGE is working under some time pressure as they're scheduled to be dissolved in mid-2026.
russellbeattie 2 hours ago [-]
Remember, DOGE has nothing to do with money or "efficiency". It's a pure ideological dismantling of the Federal government aimed at eliminating oversight, regulations, assistance and entitlements as envisioned by ultra-conservatives for decades.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
guywithahat 4 hours ago [-]
[flagged]
Aurornis 4 hours ago [-]
Smug, cryptic remarks aren't helpful. If you have a point, say it.
toomuchtodo 4 hours ago [-]
They are breaking down the federal government intentionally. DOGE was never going to hit their goals, they were impossible to hit. The goals were just cover to take full control over anything they can get their hands on.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
They voted for others to be hurt and to lose benefits, not their “in group.” Surprise surprise, they are considered the waste by those they voted for.
sitkack 4 hours ago [-]
There is no in-group and out-group, there is only Trump.
sitkack 2 hours ago [-]
A comment has been deported to El Salvador, in its place
I hate Trump as much as the next guy, but let's not take things out of context, he clearly seems to mean it in a "I want everyone" sense here, rather than just the poorly educated specifically.
4 hours ago [-]
guywithahat 4 hours ago [-]
How is cutting funding to something taking control of it?
Take DOGE cutting funding to the Mitr Gender Conversion Clinic in Hyderabad, India as an example. The haven't taken control of the clinic, they're not telling them what to do or not to do, they're simply not funding it anymore. If the clinic closes it's because nobody except the previous administration wanted it. There is no reason we should be forcing gender change clinics on people in India; if they want to support it, they should purchase the service themselves.
DOGE has been about fighting corruption and reducing wasteful spending, and that's what America voted for. "Taking control" would be using government funding to support pro-abortion political groups, undoing this control would be fighting corruption.
3 hours ago [-]
afavour 4 hours ago [-]
> DOGE has been about fighting corruption and reducing wasteful spending
It absolutely staggers me that anyone can still say this with a straight face. I will ask this, though: as part of the DOGE fight against corruption and wasteful spending how many of Elon Musk's government contracts and subsidies have been cut?
throitallaway 3 hours ago [-]
Also ~12K IRS workers (7x per head ROI) and inspectors general (who actually get results and are fully accountable) have been cut. And our already bloated military budget is increasing to $1 trillion without an eye being batted. DOGE is theatre.
"A system’s function or purpose is not necessarily spoken, written, or expressed explicitly, except through the operation of the system. The best way to deduce the system’s purpose is to watch for a while to see how the system behaves. Purposes are deduced from behavior, not from rhetoric or stated goals.” —- Donella Meadows
01HNNWZ0MV43FF 4 hours ago [-]
I see at least three obvious reasons for the cuts:
1. Politically-motivated "purge the weak" Nazi stuff - Cutting Medicare, cutting Medicaid, cutting Social Security, cutting education, cutting anything that benefits people who are old, poor, queer, female, etc.
2. Privatization - NWS and NOAA are wonderful public services, and they'd rather profit from the data they produce. This is why taxes in the US are such a bitch to file, tax companies oppose any policy change that would make the paperwork easier for filers.
3. They might actually be Russian assets. Tearing down institutions that took generations to build makes space in the world for Russia to exert more influence. You can tell this is working because Europe is now wanting to re-arm.
It makes me sad. If I had a billion dollars I would still want to live in a better country. These guys only want a better world for themselves, and making everyone else into a permanent servant underclass only plays into that.
IOT_Apprentice 2 hours ago [-]
They were at the mercy of 20 year olds from doge. I wonder when doge enters the NSA & NRO WHAT information will they steal & put in their hard drives.
All of this is criminal behavior on the the current regime.
markhahn 5 hours ago [-]
it might be ignorance; it might be malice.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
incompatible 3 hours ago [-]
> someone could be making a profit on this
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
markhahn 2 hours ago [-]
I think it's more of a principle: if it looks like someone could charge money for it, they think that would make the country stronger, because all they understand is first-order profit. Trump's ethics is "get away with whatever you can".
For instance, most people find healthcare middlemen (pharmacy benefit managers, etc) to be grotesque parasites. But to a laissez-faire fundamentalist, they're smart for finding a way to liberate some profit, even laudable.
ggm 5 hours ago [-]
Hanlon's razor. I also tend to impute malice to things I don't like, but I think it's hard to go past stupidity.
JoshTriplett 4 hours ago [-]
Sufficiently advanced stupidity is indistinguishable from malice.
(Leaving aside that there's plenty of evidence of malice here.)
gregw2 4 hours ago [-]
I love Hanlon's razor. Super-helpful in certain contexts: "Never attribute to malice that which is adequately explained by stupidity."
But, having known about it for a dozen years now, I also find it inadequate alone as a razor without the following caveats/corollaries:
Hubbard's corollary to Hanlon's Razor: "Never attribute to malice or stupidity that which can be explained by moderately rational individuals following incentives in a complex system". ( https://en.m.wikipedia.org/wiki/Hanlon's_razor#Exceptions )
Or (HN) Nerdponx's punchier simplification: "When money is at stake, never attribute to incompetence what could be attributed to greed." ( https://news.ycombinator.com/item?id=41066724 )
Terr_ 4 hours ago [-]
Hanlon's Razor is susceptible to pathological inputs, causing unbounded runtime.
A large amount of things related to Trump fall into that category, and it's important to recognize when you need to instead treat it as a superposition: It is both malice and incompetence, unless the perpetrators decide to plead just one or the other.
groby_b 5 hours ago [-]
Stupidity rarely has a consistent destructive track record. You score occasional wins. Only malice allows every decision to do damage. (The other razor, essentially - Occam)
atkailash 3 hours ago [-]
[dead]
tgsovlerkhgsel 3 hours ago [-]
If you made this careful analysis, you'd hear "CRISSAKE WE NEED THIS DONT TOUCH IT" for almost everything (and it likely would be right for a significant portion but not everything).
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
conception 3 hours ago [-]
So the dumbest way to do anything. Got it.
delusional 3 hours ago [-]
You forget that their stated policy (and I don't doubt their commitment) is that whoever complains the loudest were probably scamming. That "honest people don't complain"
InsideOutSanta 31 minutes ago [-]
This makes me wonder what other stuff most people don't know exists but is important to our society has quietly disappeared in the last few weeks. We know about this one because we know it's important. What are the things we don't know about?
hubabuba44 45 minutes ago [-]
The real irony here is that a lot of ycombinator founders and the people reading HN were exactly the ones making this possible and now start to wonder why the snake eats its own tail.
cantrecallmypwd 40 minutes ago [-]
Sorry, I made the mistake of installing PyPy.
hubabuba44 34 minutes ago [-]
I assume that this comment should go somewhere else or I'm not able to decipher the message ;)
jampekka 10 minutes ago [-]
PyPy's logo is a snake eating its tail.
stego-tech 5 hours ago [-]
Man, I just can’t even muster the snark I usually have for these sorts of boneheaded decisions.
This sucks, plain and simple.
9 minutes ago [-]
aprilthird2021 4 hours ago [-]
I can't believe what a bunch of bollocks this administration is. I couldn't believe it the first time, and this time I thought "Well at least I'm ready, it will be a lot like last time" and it's so much worse
8 minutes ago [-]
roughly 1 hours ago [-]
> it will be a lot like last time
A lot of people seemed to have had this theory, despite all the evidence to the contrary.
01HNNWZ0MV43FF 4 hours ago [-]
A lot was lost in the midterms and Supreme Court appointments.
Hopefully these 4 years energize people to vote. I know protesting and direct action and so on are also important, but the gradient is not negative for voting for every office you can vote for in every election.
xyzal 7 minutes ago [-]
I fear the situation either ends badly or in a bloodshed. They aren't respecting the courts, so assuming they will accept defeat in elections is naive.
Terr_ 3 hours ago [-]
I'm scared that elections won't be secure, especially with the way the Republicans are trying to (arguably unconstitutionally) wield federal power to force individual states to change their systems in abrupt ways.
aprilthird2021 4 hours ago [-]
Yes, the next elections are all I have to look forward to really.
jjav 3 hours ago [-]
Given the current government has blown off an unanimous 9-0 supreme court decision, right now I can't feel too optimistic there will even be more elections.
hn_throwaway_99 3 hours ago [-]
I think there will be more elections, but I think they will be fraudulent, because I think Trump has shown he is adept at turning things around and then trying to pretend that what he's doing is analogous to what the other side has done.
For example, a lot of people have forgotten, but the phrase "fake news" originally came about in the wake of the 2016 election about all the (actually false) misinformation that was spread on social media in the run up to the election. Trump adeptly then co-opted the term, so any news he didn't like he could just call it "fake news", and who was to say any news he called fake was any less fake than what people were calling fake before?
My guess is the 2028 elections will be marked by fraud, and then when people protest or object, Trump and the Republicans will just say "Hey, you called all those Jan 6 protesters traitors and said the election was secure, how is now any different? Now you're all the traitors."
The only belief that gives me hope these days is "History will judge the complicit."
sofixa 3 hours ago [-]
> Hopefully these 4 years energize people to vote
You are assuming there will be next elections that are free, fair, and matter.
Trump says a lot of things that ultimately doesn't matter, but he has also said, and is the type of brute to believe it, that he intends to stay in power. He and his cronies have successfully dismantled the checks and balances that should have prevented him from doing they, legally. IMO the only way he leaves the White House without stirring trouble is in a casket.
worik 4 hours ago [-]
[flagged]
throitallaway 3 hours ago [-]
> Trump tells them they are OK. They are worthwhile.
The chasm between what Trump says (and what the propaganda says about him) and what he actually does is astounding. Most of his fans are completely uninformed of what he says and does. We've never had a president (and cabinet) with more conflicts of interest. He's been a pioneer at abusing power; tariffs on Canada because of a fentanyl crisis... give me a break!
aprilthird2021 1 hours ago [-]
We never ever told people they are losers for wanting a better life. One of the most popular candidates for the Dem ticket was Bernie Sanders. He actually wanted to cut our biggest budget line items and spend them on the things people worry about the most (healthcare, something most Americans worry about being able to afford).
Trump is a literal billionaire. How is him telling the sons of people who used to do manufacturing that they're okay any better than a Harvard educated lawyer saying he feels for them (Trump and Vance are both Ivy League educated, btw)?
I also want Americans to have a better life. I also think we spend way too much elsewhere instead of at home. A lot of Democrats think that and drive policies for that. Trump may care about that too, but you can't vote for who makes you feel good. You have to learn how to vote for who will actually improve your life. We are the rulers of America, we have to understand our economy, our government, etc. No one is going to do it for us. I'd much rather vote for someone who talks down to me and will deliver stability than a guy who hypes me up and tanks the economy
hn_throwaway_99 3 hours ago [-]
> The Democrats say "we feel your pain" Fuck them, truly. Voters do not want some Harvard educated lawyer to "feel their pain".
Yeah, apparently they want some billionaire who doesn't pay his taxes, who was given millions by his daddy, and who famously stiffed small business contractors at his buildings, to say he feels their pain.
That said, I actually upvoted your comment because right now it's heavily downvoted but I actually think there is an important point behind your comment. It may feel insane to me, but Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people). Trump understood this, the Democrats didn't, or worse, branded anyone who harbored some of this anger as a bigot. This is basically how all fascist leaders come to power - the parallels with Mussolini are uncanny, right down to having a minor body part shot off in an assassination attempt.
Relevant recent example to me: a lot of folks can't understand the hypocrisy about bitching about inflation under Biden, but then saying "we'll hunker down" in response to the expected inflation from tariffs. The difference is the Trump base believes he is taking them "back to the promised land", and for better or worse Trump is definitely a man of action, so they're more willing to put up with temporary hardships if they think the direction is right. With Biden and the Dems, they just believe they'll get more of the "slow slide."
aprilthird2021 1 hours ago [-]
> Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people).
I agree. And they're not wrong to want to go back or blame someone. We can "go back" in terms of increasing the QoL of our populace. Idk, the Democrats were always clear about wanting to uplift people. Obamacare and Medicare for All were extremely clear policy positions meant to uplift the common man. Eliminating student debt (a policy I don't agree with) was also obviously positioned to help people improve their economic and social standing.
I don't know why people say Democrats missed this and Trump saw it? The Democrats won on slogans that capitalized exactly this sentiment. Obama's "Hope" and "Yes we can" are obviously in a context where people didn't have hope or questioned whether we could.
I think he just got lucky against bad candidates, and we ascribe way too much to his branding and the other garbage. Clinton's branding was about HER (i.e. I'm with her), not about THE PEOPLE (biggest political branding mistake in the 21st century imo). And Harris never had the popularity to go to to toe with Trump.
Idk, I think people are mad, but I think the Democrats have spoken to that more authentically and proven themselves to actually do things that help the common man than Trump ever has
stavros 52 minutes ago [-]
The Democrats were always constrained by what's reasonable, whereas Trump has been able to promise the sky, even though delivering it means the sky is now falling.
computerthings 2 hours ago [-]
[dead]
hansvm 5 hours ago [-]
Weren't there major problems with the current CVE implementation, especially with the waves of script kiddies and AI tools spamming the database and the fact that projects who take security seriously have little to no say in the "score" that gets assigned?
bjackman 29 minutes ago [-]
As an active consumer of CVEs: yea there are major problems. No there's nothing better and no I don't have any better ideas.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
Sander_Marechal 14 minutes ago [-]
> you are in the business of compliance rather than security.
So, most businesses. They all need their ISO/NIST/HIPAA/etc certs.
czk 5 hours ago [-]
and then a random 9.8 critical comes that affects some software you have in a way that makes it a 0 in your environment but it doesn't matter cause the cve tanks your organizational Security Score (tm) by 10 arbitrary points and management is wondering when you'll secure the company again because the Security Score is their only tangible deliverable to measure success
horacemorace 4 hours ago [-]
It’s Way Better than what we had before: software vendors making even arbitrarier decisions about how to classify them.
There are far too many bad actors for us to operate as an industry with no yardstick.
ngneer 3 hours ago [-]
I disagree that it is Way Better than before. A judgement call is worth more than a team wasting effort chasing irrelevant pseudo-vulnerabilities being reported as vulnerabilities. A broken yardstick is worse than no yardstick.
elric 13 minutes ago [-]
Solving this problem in a generalized way is really hard.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
icameron 5 hours ago [-]
Yeah like when we bundled in a .js library for client side date processing that has a CVE affecting node.js servers with high score. Our auditors don’t care they tag the whole app as high risk. It doesn’t even run on the server!
czk 5 hours ago [-]
the auditors that sign off on your security to meet your clients requirements usually know way less about your security posture than your clients do
its all just surface-level box-checking. most companies required to get 'penetration tests' just get an overpriced Nessus scan sold as a pentest and that meets their reqs.
JohnMakin 4 hours ago [-]
while this is true it in no way diminishes the value that orgs like cve provide
ngneer 3 hours ago [-]
Spot on. Vulnerability scanners that make up an organizational Security Score (TM) tend to operate at the wrong level of abstraction, flagging some library somewhere that never runs and has nothing to do with your production flow or architecture, or some test keys with zero security impact. Go explain that to management, because obviously the security tools are right and you are wrong. This sad state of affairs is unfortunately the best that the security industry has been able to deliver. Trying to wrangle complexity by adding more complexity is the craziest notion to me. Yes, no scoring scheme is perfect, but when the scheme introduces more noise, what have we gained (well, security vendors gain, but what have organizations gained).
maronato 4 hours ago [-]
Don’t let the perfect be the enemy of good. It is(was?) a very useful and important system.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
giantg2 4 hours ago [-]
Most tracking tools have exception processes. But yeah, security as a product family instead of a simple score seems to be a foreign concept at most companies.
5 hours ago [-]
5 hours ago [-]
idiotsecant 5 hours ago [-]
I feel that. So tired of management being completely uninterested in actual, actionable security holes but getting wildly spun up because they saw a notice with a big scary number that has absolutely no relevance in our architecture.
tdb7893 5 hours ago [-]
The scores were never going to be that accurate across people's environments (IDK how much other places relied on them, places I worked never did that much) and issues with the scores don't seem to be a good justification to torch the whole CVE system anyway.
mike_hearn 2 minutes ago [-]
Why isn't it a good justification?
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
hashstring 1 hours ago [-]
This^ and to add to that, at the very least MITRE assigned IDs which is great. Plus they did an initial scoring, which, well… will never be perfect like you said and I’m sure these things evolve throughout time and get better (not talking necessarily CVSS vX).
What a shame on this current gov. administration, if you can even call it that.
sepositus 5 hours ago [-]
I don't know of anyone who doesn't quickly become exhausted after running a CVE scanner on their code.
worthless-trash 4 hours ago [-]
This will get lost in the noise, but i think you mean cvss.
CVE is simply identification of a flaw, not a scoring system.
aprilthird2021 4 hours ago [-]
Sure. There's also major problems with the video encoding pipeline at my big tech job. Let's just delete it
ajross 4 hours ago [-]
> Weren't there major problems with the current CVE implementation
Absolutely. And if the headline was "DHS proposes improvements and streamlining to the CVE program" we'd all probably be cheering.
Leaping from "This is Flawed" to "Let's kill This" is a logical fallacy. A flawed security registry is clearly better than no security registry.
GolberThorce 4 hours ago [-]
There are a lot of logical fallacies. Have you heard of the sunk-cost one? Or fallacy fallacy maybe? Or ten-tendril eschatomon fallacy?
In honesty to say "logical fallacy" is spoddy, I advise against for aesthetic reason.
gcr 5 hours ago [-]
These sound like downstream effects of funding stress to me, no?
cantrecallmypwd 4 hours ago [-]
This is bikeshedding. The point is an authoritative process and an identifier
All this does is help Putin and other rich grifters.
GolberThorce 4 hours ago [-]
you like to say word 'bikeshedding', adoption of formal intellectualish sounding terminology even when inappropriate is orange-site affliction I advise against. I am saying this for your own sake... speak truths with POWER
benatkin 3 hours ago [-]
It's a legitimate term. It's like criticizing use of the word startup or demanding someone put a dash in frontend or backend.
GolberThorce 3 hours ago [-]
term is real... but is more like criticizing misuse of word startup. to be even more accurate it is what I said and not anything else
benatkin 1 hours ago [-]
Maybe you don't see how it's bikeshedding. Ah well, let me try to explain.
It's because it's like if someone had forgotten to validate the user's role in an endpoint in a Django app, and someone said that they should have used Rails because it's easier to understand. In reality both are easy enough to understand to be able to do an authorization check, and the framework isn't the issue. So the person suggesting Rails is bikeshedding.
Likewise, if someone made another vulnerability database it would likely have the same issue, and this isn't really the place to solve it. If somehow this does trigger the realization to solve it, then it will be by luck.
transpute 6 hours ago [-]
If you work on OSS software on CVE management, then you already know that NVD funding reductions have been ongoing for more than a year.
NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
matthewdgreen 5 hours ago [-]
I did find this post to be non-helpful and confusing. It would be helpful to edit it (or write differently in the future) to clarify that the sudden defunding event occurring today is separate and not related to the previous funding cuts. If that's the case.
transpute 5 hours ago [-]
Is there no connection between 2025 funding cuts and previous ones? e.g. If a year of work after the previous cuts resulted in an open-data collaboration between NVD and commercial vendors to share a subset of CC0 vulnerability metadata, could that industry collective now argue for government to share (with companies) the burden of funding an open, decentralized program for CVE tracking? Commercial vendors could still offer additional metadata and analytics, over and above the public baseline.
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
matthewdgreen 2 hours ago [-]
I am now more confused and not less.
transpute 2 hours ago [-]
Do you have any visibility into pre-2024 funding for the NIST NVD and MITRE CVE programs?
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.
cma 3 hours ago [-]
That says nothing about a funding cut, see my comment below
transpute 2 hours ago [-]
Following your comment's reference leads to a claim of NVD needing 300 to 550 million (?!) per year, but only receiving 4 million in funding. If anyone has pre-2024 data on NVD or MITRE CVE funding, that would be helpful, https://news.ycombinator.com/item?id=43701532
RVuRnvbM2e 4 hours ago [-]
There is nothing in that article mentioning funding reductions.
That article is about how the volume of software vulnerabilities are increasing, resulting in difficulty keeping up by the CVE and NVD projects.
Please stop spamming this thread with political spin.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
cma 3 hours ago [-]
Reading that article closely it says nothing about an NVD budget cut, only a NIST one. They were trackijg the changes after NIST's budget was cut, not NVD's. As pointed out below, CISA announced a cut and then NIST more than made up for it by reallocating funds, for an NVD funding increase, even though NIST had their overall budget cut.
transpute 2 hours ago [-]
One of your references has budget numbers that are two orders (?!) of magnitude higher than the CISA number. Hopefully someone can chime in with granular historical data for NIST NVD and MITRE-via-NIST CVE funding.
4 hours ago [-]
4 hours ago [-]
cowpig 6 hours ago [-]
I've noticed that there's a post like this in most articles on HN that could be construed as negative for the current administration: some vague false statement followed by either a factually incorrect explanation or some quote that does not support the statement.
transpute 6 hours ago [-]
What is incorrect about the post above? There are citations from multiple reputable news outlets for each claim.
People who actually work with CVEs have been posting about this problem on HN for 18 months.
cowpig 5 hours ago [-]
Your post has now been edited to be factually correct. But the misleading implication that this abrupt cut is part of some other cuts that started before remains.
Larrikin 4 hours ago [-]
Anyone that silently edits their posts after being called out for misleading statements or lies is arguing in bad faith.
If you still have a cached copy of their original post you should publicly edit your earliest reply with their original quote.
transpute 5 hours ago [-]
The post (currently AND previous to comments being moved here from a different HN thread) links to the official _2024_ (not 2025) statement about NVD cutbacks. Here's a 3000 word article with quotes from Linux Foundation and commercial vendors, around the same time, https://news.ycombinator.com/item?id=43700884
RVuRnvbM2e 4 hours ago [-]
NVD != CVE
transpute 4 hours ago [-]
NIST owns the budget for both NVD and CVE, contracting MITRE to operate the CVE program.
NIST budget was cut 12% in FY 2024 (Oct 2023 - Sep 2024).
Why do you post this on a comment that is neither of those things then?
jl6 30 minutes ago [-]
It’s a reckless move to cut funding so abruptly, but taking a step back from the short-term chaos, it probably is an anomaly that this was government funded. All of private tech relies on it, and private tech is big enough to pay for it. I hope that the trillion dollar babies consider this an opportunity to pool together to form a foundation that funds this, and a bunch of other open source projects run by one random person in Nebraska.
kbumsik 2 minutes ago [-]
> it probably is an anomaly that this was government funded
Companies can definitely fund it. But to be fair the gov, including NIST, also relies on CVE.
I'm trying to steelman but I really can't think of a non- nefarious justification for this
rqtwteye 5 hours ago [-]
I think it’s ignorance and arrogance. The US seems to be on a path to lose technological and science leadership. The current leadership doesn’t seem to understand things that aren’t flashy. I wonder when they’ll dial back on food safety. I am sure RFK knows some vitamins that protect against salmonella
johnnyjeans 5 hours ago [-]
important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries. can't wait to see what plague demon spawns out of a food industry running amok after the FDA gets gutted.
ac29 5 hours ago [-]
> important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries.
There were 65,000 cases of salmonellosis in the EU in the most recent data I could find (2022). Thats a lower per capita rate than the US, but definitely not zero.
rickard 4 hours ago [-]
I agree that it’s not zero, but according to CDC, the US sees about 1.35 million cases per year in a population of about 346 million, which is about 390 cases per 100,000 people. Your figure for the EU over a population of 447 million in 2022 gives 14.5 cases per 100,000 people, or more than a factor of 26 less.
Being 26 times less worried about something translates, at least for most things, for me, to not being worried about it any more.
buzer 4 hours ago [-]
Salmonella and it causes are very regional in EU. Places like Finland have basically 0 cases of salmonella caused by domestic poultry products per year. If there salmonella is found from any chicken in the flock, the whole flock will be quarantined and generally fully slaughtered (meat & eggs must be pasteurized after the slaughter if they are sold). In 2023 0.1% of the tested flocks had salmonella.
the guy is ultimate small gov.
he wants to rip it out by the roots.
dmix 4 hours ago [-]
I don't think he's considered a small gov conservative. He increased spending last time and has continued so far this term. His tariffs are one of the biggest expansions in gov interference in modern history. They are also attempting to significantly expand executive power beyond even 9/11 terrorism days.
01HNNWZ0MV43FF 4 hours ago [-]
Small enough to fit in a uterus, big enough to kidnap and shoot citizens
karel-3d 9 minutes ago [-]
Reduce spending. Steelmanning (not actually believing this): it probably cost a lot for what is essentially a database, and can be done cheaply by private sector (Google, Microsoft).
WesternWind 5 hours ago [-]
It's incredibly foolish. Whatever the justification is, it doesn't matter as much as the horrible outcome.
This is one of those things the government does for the benefit of the whole.
Cthulhu_ 51 minutes ago [-]
Reduce government spending; since it's not actually a government organization (as far as I can tell, I never looked into it before), other organizations can fund it. How much goes into this organization a year anyway? I'm seeing a Mitre corporation that does lots of other stuff too that has a revenue of 2.2 billion a year.
Multi-trillion-dollar companies benefit from and contribute to this system, surely they can spare 0.01% of their revenue to this bit of critical infrastruture?
bert-ye 20 minutes ago [-]
> surely they can spare 0.01% of their revenue
They would, if we made companies pay their taxes.
Yes, you can also run such a system based on donations. But I personally think that such a system is important enough to be paid for by the government. When you run on donations, there will always be conflicts of interest and the risk of running out of funds.
But yeah, Mitre being a private organization that was paid for by the government was a problem.
Threat intelligence firm Flashpoint noted in March 2024 it was aware of 100,000 vulnerabilities with no CVE number and consequently no inclusion in NVD. More worryingly, it said that 330 of these vulnerabilities (with no CVE number) had been exploited in the wild.. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.
Despite all those private companies and various OSS projects being willing to contribute ideas, infrastructure and code, they have somehow failed to coalesce into a decentralized replacement for NVD, built on CC0 data and OSS tooling.
cma 4 hours ago [-]
I tried to look over the history and I only see a funding increase, CISA cut $3.7 million at the end of 2023 for the next year and in response NIST reallocated extra funding to NVD: $8.5 million in 2024
A funding shortfall and strain isn't a funding cut. And from what I see there was a funding increase.
transpute 4 hours ago [-]
Would appreciate a pointer to the source, thank you.
> According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
cma 3 hours ago [-]
Can search these for the links
2023
> CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued
2024
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025
Assuming that's spread over both years it wasn't as big of an increase as I said, but is still an increase even inflation adjusted.
> 2025 article claims 30% increase in 2024 workload
Underfunding in the face of more workload isn't itself a funding cut.
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.”
Did NVD receive 300MM annual funding pre-2024? That would be a 98% funding cut.
formerly_proven 57 minutes ago [-]
300 million would’ve been a quarter of the NIST budget. Doubt.
transpute 36 minutes ago [-]
Yeah, bizarre site.
MITRE CVE/CWE budget is more transparent than NVD since it's a contract, listed on USAspending.gov.
benfortuna 5 hours ago [-]
This neo-liberal approach has no place for soft diplomacy, which is what US hegemoney relies on.
This isn't just a rapid disassembly of economic structures, any trust and goodwill is completely obliterated as well.
tart-lemonade 5 hours ago [-]
For decades, the US could be counted upon to fund things with little immediate benefit but massive long-term positive externalities. I don't think its likely that the republican party will "go back to normal" post-Trump, so we can all kiss the long-term reputation building that American hegemony relied upon goodbye. Short of a great depression-esque political reset, I do not see things changing for the better.
duxup 6 hours ago [-]
The process seems to be to dismantle anything not nailed down in government.
Now if you want that (even just funding) to be a thing ... you have to go through Trump & Co and pay your bribe to get it back up.
alephnerd 5 hours ago [-]
> I really can't think of a non- nefarious justification for this
Tragedy of the commons - NVD and the CVE project havr been backlogged and facing funding issues for a couple years now, and most security vendors are either cagey about providing vulns in a timely manner (as it can reduce their own comparative advantage), or try upsell their own alternative risk prioritization scores.
Every company will gladly use NVD and CVE data, but no one wants to subsidize it and help a competitor, especially in an industry as competitive as cybersecurity.
giraffe_lady 6 hours ago [-]
> I'm trying to steelman
Why? This administration is not acting in good faith, you don't have to act as if they are. People and institutions doing that is part of how we got here in the first place.
King-Aaron 5 hours ago [-]
I still find it wild that so many people are trying to frame these decisions through a political lens. This is the actions of a foreign bad actor dismantling critical institutions from within, not "bad policy".
Surely there's an antibody response.
inejge 3 hours ago [-]
> I still find it wild that so many people are trying to frame these decisions through a political lens.
Why? The decisions are pretty well politically aligned with the ideology which detests the size and scope of the government (realistically, those aspects which the ideologues feel are not in their interest). What is unexpected is the swiftness and the brutality of action, but revolutions tend to be messy, and make no mistake, this is a revolution.
> This is the actions of a foreign bad actor
Now this sounds like a coping strategy: everything is so preposterous it couldn't possibly be homegrown. Foreign influence and underhanded actions are as old as human interactions, but IMO outright plants can't succeed without a massive economic and power asymmetry between the adversaries.
King-Aaron 2 hours ago [-]
lol, coping strategy? I'm not American and have no reason to 'cope' with anything. There is enough evidence to make a strong allegation about Trump being a Russian asset.
The entire world seems to be able to 'cope' with that assessment.
rat87 1 hours ago [-]
They are not. Trump is no libertarian or small government guy. The build the wall guy is the opposite of that. Even with stuff like social security he usually at least rhetorically claimed to be for more benifits (as long as it goes to "real Americans") and he is all for increasing police and military spending. And generally spending more on stuff that gives him money. Plus giant tax increases (tarrifs). He doesn't care much if government is dismembered as long as it owns the libs and gets rid of the public corruption prosecutors/others who might stand up to him
Trump's actions towards Putin are highly irrational. Maybe he's being blackmailed, maybe he's being bought, maybe he just has likes Putins style but there is a reason people suspect him despite it being unlikely in the general case.
jfengel 6 hours ago [-]
Force of habit. We don't have a framework for talking under these circumstances, so we apply our outdated ones.
As you say, that's exactly what got us here. But the alternatives are very unclear, and seem deeply unpleasant.
giraffe_lady 5 hours ago [-]
[flagged]
emmelaich 3 hours ago [-]
It is the belief that it is not in good faith that makes it more important that you try to steelman it.
If the steelmanning fails then you can you can be even more confident that it is in bad faith.
petesergeant 3 hours ago [-]
>> I'm trying to steelman
> Why?
It's a sensible practice and good practice
almostgotcaught 5 hours ago [-]
Imagine being eaten alive by a cackling hyena that ambushed you and all the while being like "hmm what is the appropriate steelman here? why do I deserve this? why is this just?"
In reality this would never happen so all these people playing steelman are just detached/insulated.
ajross 4 hours ago [-]
Probably the thinking goes that someone in the international community will step in. CVE is in practice a global registry for all, thus "Why should the USA Department of Homeland Security pay for all the freeloaders".
Still shortsighted and stupid, but it's plausible this is intended as leverage to get someone else to pony up.
polski-g 5 hours ago [-]
We have a 2tn deficit. If Congress wants to fund this, they need to make it mandatory spending and raise taxes.
viraptor 5 hours ago [-]
That's a good idea to raise during the budget time or with some warning ahead of time. But even discussing the cost of CVE program itself is likely a waste of time and money. When trying to deal with 2tn deficit, looking at things that historically got ~$5M is just a distraction. And the lack of it may cost even more given how many existing agreements/contracts rely on cve to be a thing - maybe just in gov lawyers having to rewrite things.
rgreek42 5 hours ago [-]
Selling bonds is not the same thing as a family budget being in the red. Either you know this and you're making this argument in bad faith, or you don't and, well...
Listen, I hate the debt, but we have an income problem, not a spending problem. The military looks like a waste, but it does more than build bombs i.e research etc.
The issue we have is that republican every chance they get since the 1970s have cut taxes. And then blamed democrats for causing the deficits. We don't need smaller governments. We need a reasonable tax system that taxes people. It can be progressive like it was before we decided rich people just need it easier than poor people.
Yes, I will pay more taxes sign me up, especially if they can finally fix the roads and fund research. The problem is my taxes as a middle-class person go up and rich people get a tax cut. It's stupid. I like water provided by government utilities, I like planes that don't crash into stuff because there are air traffic controllers. These things used to work because we paid for them. When you buy cheap you get cheap.
matteotom 5 hours ago [-]
Yeah republicans claim to want to run the government like a business, but the first thing a business should do when they have a deficit is raise revenue! And especially in the case of the US government, the the only barriers to doing that are self-imposed.
dboreham 5 hours ago [-]
Military also employs a bunch of people who otherwise would be poor. Also provides a gentrification path for a bunch of previously poor people extending throughout their lives.
LPisGood 3 hours ago [-]
Yes, a big part of the size is because the military is a massive and horrendously inefficient jobs, education, housing, and healthcare program.
throitallaway 3 hours ago [-]
Don't forget all the beak-wetting that happens along the way when signing contracts etc. That's where an actual difference could be made.
01HNNWZ0MV43FF 4 hours ago [-]
Republicans control Congress, this is bait
tootie 5 hours ago [-]
This is an absolute pittance compared to the total budget. And considering the current administration wants a $4T tax cut they are not interested in trimming the deficit at all.
throitallaway 4 hours ago [-]
Yep, DOGE is a song and dance distraction. If they were serious about lowering the deficit they wouldn't have laid off ~12K IRS workers (whom show a 7x ROI per head.) They also wouldn't be asking to increase the military budget to $1 trillion per year. Trump has spent 1/3 of his days in office so far golfing; $30 million+ so far paid to Trump properties for the privilege of that. This is the biggest capture in US history and it's all out in the open.
chris_wot 5 hours ago [-]
Dear god, you don't just stop running government completely because you have a deficit.
sneak 7 hours ago [-]
We don’t need to spend tax dollars to increment sequential integers.
The “CVE program” can be done by a volunteer or two in spare time. It’s not some major operation, it’s just a registry of integers that can live on GitHub.
_carbyau_ 5 hours ago [-]
Thanks for volunteering to manage the "300-600 CVEs each month"!
The world needs more volunteers like you.
techky 4 hours ago [-]
Make that 3,000-4,000 on average per month, according to NISTs stats on CVEs for last year. ~40,000 for 2024.
charcircuit 5 hours ago [-]
You manage the system and not the CVEs themselves. The simplist thing would be a list of numbers that correspond to Google docs. The owner of the Google doc can share it with the needed parties and eventually set it as public.
goku12 4 hours ago [-]
You truly believe that the CVE database (and others like CWE) are only about assigning serial numbers to random reports, don't you? I see people underestimating and understanding the work of others in matters like this. Is that a trend now?
worthless-trash 4 hours ago [-]
I saw this same behavior quite a while back. While I'm out of the CVE game these days, it seems that there is a forever rotating new group of people who simply don't and can never see the complexities on the process.
I think it's a testament to the previous stewardship that it appears so simple.
charcircuit 4 hours ago [-]
No I don't believe that, but it might as well operate like that. The extra stuff isn't truly needed and was being outsourced to the companies that own the products since it wasn't providing much value. Take a look at Daniel's blog posts about CVEs for curl for what happens when you let them handle it.
Rebelgecko 6 hours ago [-]
How do you get your volunteers in the first place and manage them so you know it's time to get a new one if the quality of their work is slipping?
viraptor 6 hours ago [-]
Yet so far no volunteer has emerged and people who do run CNA are pretty busy with it.
_zer0 6 hours ago [-]
I think sneak would volunteer to do it since it is pretty simple according to them.
mlinhares 6 hours ago [-]
Any work people don't understand must be easy and replaceable by chatgpt. Just look at how easy people here think farming is.
johnnyjeans 5 hours ago [-]
Grok becoming an artificial nepobaby running the entire CVE program with zero oversight sounds so fucking funny I don't even care, PLEASE god make this real holy shit I can't breathe at the thought
stevekemp 2 hours ago [-]
There were some, short-lived, projects/groups trying to run their own processes. DWF is one that I recall, though it is dead again:
This is like saying the patent system is just an incrementing counter.
sneak 1 hours ago [-]
Have you seen the patents they have been giving out lately?
gabesullice 1 hours ago [-]
As a newly minted cynic, this seems like a cynical play to save someone's budget.
Step 1: Post discreetly to a forum with minimal information and an absurdly short deadline
Step 2: Phone your friend, the former board member, to make your case on LinkedIn
Step 3: Ring up a friendly journalist and give them a tip
Step 4: Reference the insuing chaos as justification for keeping your project funded
Note that the article carefully avoids pinning the blame on DOGE or the Whitehouse while heavily implying it. MITRE is technically a private entity, albeit a non-profit. And the very last paragraph of the article states:
> A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program… Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
To be clear, the point isn't to say that the CVE program isn't valuable, nor is it to say that it's good for a shenanigan like this to be necessary.
The point is that, unless you're directly involved in this subject (not impacted—involved), it's probably best to maintain a "wait and see" attitude rather than succumb to catastrophizing this news.
girvo 1 hours ago [-]
Have you seen proof that this is what has been happening? Your explanation is much more convoluted than "DHS cut funding, like the administration has said it is going to do".
gabesullice 1 hours ago [-]
These explanations are not mutually exclusive.
karel-3d 6 minutes ago [-]
Phew, no new annoying CVE reports in my Docker images from today
nkassis 5 hours ago [-]
My tinfoil hat says they want to privatize this through one of the administrations friends. A disastrous decision here.
epistasis 4 hours ago [-]
Why would they spend money to replace it? The idea is to weaken and destroy the US and its institutions. Giving Palantir money might mean that security improves, and that goes against their goals. They have already demanded that Russia stop being treated as a cybersecurity threat in other areas of the government, this is a way to ensure that systems are vulnerable to attack.
throitallaway 4 hours ago [-]
Exactly. The Trump admin is well on its way tanking the USD with tariffs and getting every country (including the penguins) mad at us. The rationalization given by the admin for tariffs (trade imbalance) make zero sense, and they haven't offered anything else.
9283409232 5 hours ago [-]
Palantir is about to get a contract.
goku12 4 hours ago [-]
I thought that the point of the CVE database is to improve security, not wreck it?
jacobsenscott 4 hours ago [-]
s/is/was/
aprilthird2021 4 hours ago [-]
Or worse, NSO Group
atomicbeanie 4 hours ago [-]
The white house prefers chaos. This will certainly be a step in that direction.
apexalpha 2 hours ago [-]
Why is this sponsored by such an American gov entity?
I guess it's one of those things you never think about until it goes wrong.
The world would do well to move this kind of stuff out of the US quickly, just like ICANN and stuff.
bytematic 11 hours ago [-]
What are the implications of this? No more centralized store of vulnerability information?
> Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.
Incipient 5 hours ago [-]
Basically when any software/library/whatever has a vulnerability, they have to communicate that out themselves, in some format.
If I'm developing a product built on 20 libraries, it won't just be a matter of scanning CVEs for major vulnerabilities any more, so I'm more likely to miss one.
"always update" doesn't always work, when to manage a product you realistically have to version pin.
worthless-trash 4 hours ago [-]
So, while arguably true, there wont be a single source of truth of new cve's. It doesn't however mean there wont be.
I would imagine the only SANE option would be some kind of git repository where CNA's can collaborate. Probably run some code across to make the website that people can easily access.
It's going to be a mess.
cantrecallmypwd 4 hours ago [-]
They surprise is: they won't. This will weaken the West.
This is dangerously stupid.
delulucrew 1 hours ago [-]
[dead]
joshuanapoli 8 hours ago [-]
Is MITRE's CVE program redundant with NIST's National Vulnerability Database? I'm having a hard time telling how the two are related, or if NVD is simply performing the same service as MITRE.
detaro 8 hours ago [-]
NIST NVE relies on the CVE program. (vulnerabilities get reported, MITRE assigns CVEs and publishes them, NIST then copies that list and adds their own scoring etc to it)
Spooky23 4 hours ago [-]
Once they fire everyone at NIST, they’ll have that in common.
gm3dmo 2 hours ago [-]
Anyone feel confident that the companies who benefit massively from MITRE are even now planning to step in and provide significant funding?
wichitawch 4 hours ago [-]
I'm surprised that it was USA's responsibility to fund this in the first place. Why weren't other countries providing funds?
tdb7893 44 minutes ago [-]
The US has made at least hundreds of billions of dollars from it's tech companies and has had a dominance over global tech for a long time. The tech industry has brought a crazy amount of money and power to the US so it makes sense the US puts extra effort to support it.
The US isn't supporting it out of charity, it's good for US businesses to have someone coordinating this for everyone. Why would we want to rely on other countries to be supporting our tech sector? At least now we are subject to only the capricious whims of our own government, as little comfort as that is right now (if another country was funding it we would be relying on the whims of a foreign government, which isn't ideal when tech is the golden goose of your modern economy).
lars_francke 3 hours ago [-]
The CVE program was started over 25 years ago. It is very reputable (until yesterday) and it was very much in the interest of the US to be seen as the stewards of this.
The funding requirements can't be that high and I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
Up until recently CVE was very centralized and only in the last few years have there been steps in more decentralization with CNAs taking more responsibility, Red Hat as a CNA of last-resort etc.
So, the cost of doing all of this work has already been shifted partially (!) away from the US but I have not seen any movement towards e.g. moving the program to a foundation which could have been done.
Personally I would conclude that it was the responsibility of the US to pay for this because they wanted to and it was in their best interest to control this program.
flanked-evergl 2 hours ago [-]
They have the chance to step up now. Every Comercial company that is supposedly so reliant on this for their very existence has the opportunity today. They can fund it.
epistasis 2 hours ago [-]
What commercial company is going to "fund" this? It's such a strange idea, disconnected from the real world. You may as well say "companies can start doing road maintenance, as they are so reliant on them for their very existence."
And perhaps if there had been more than a days notice, some consortium could be pulled together, but who's going to pay? Why would private companies do this, how do they profit? CVE program was the roads that everybody could drive on.
The basic lack of understanding of how the world works is killing the US. Why do people think we have such a massive GDP? Where do people think that comes from? We've given control of everything in society over to our dumbest and greediest members that have no clue about how anything works.
flanked-evergl 2 hours ago [-]
Ask the person I was responding to:
> I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
lars_francke 2 hours ago [-]
I mention this in another comment. The infrastructure for an alternative is already partially in place.
In my opinion it's mostly the industry needing to adapt to a new setup that needs to happen. It was just "easy" to rely on what's already there. A lot of company policies need to be adapted etc.
happosai 2 hours ago [-]
Because USA was a superpower that can afford it easily. Taking the leadership in everything is quite cheap price to pay when the other end of the bargain is everyone else has to follow you.
Now of course USA is ceasing (voluntarily, by stripping down every international soft power effector in government) to be a superpower, to the great glee of dictators all around the world.
The "we can't afford being great" is a direct admission that USA is no longer a superpower. And is not going to become great again, just another nation again (at whims of China).
aabhay 2 hours ago [-]
I’m surprised that the world’s greatest universities are in the United States. Why weren’t other countries providing funds?
toyg 32 minutes ago [-]
Don't worry, that will also end soon. Regimes that require political subservience from universities, like the current US administration, inevitably result in poor research capabilities in the long run.
insane_dreamer 3 hours ago [-]
It's called providing leadership. Worth the money. China will happily fill the void.
defrost 4 hours ago [-]
It's a near certitude that Russia and China each have databases of exploitable software errors and prize zero days.
It was to the advantage of the US and allies to coordinate and lead in tracking and fixing such errors.
Multiple countries, companies, and individuals contributed finding and fixing bugs.
The administrative task of keeping track was one part of a greater picture, a part that came with first to be advised and other perks.
It's not that the US had a responsibility to take on the lead admin task, more that in past times the US saw an advantage to being at the centre of global action.
This is just another part of increasing US isolationism.
wichitawch 3 hours ago [-]
> It was to the advantage of the US and allies to coordinate and lead in tracking and fixing such errors.
From what I understand of the article, none of these allies were funding it.
> Multiple countries, companies, and individuals contributed finding and fixing bugs.
Clearly that itself isn't enough. Someone has to pay for maintaining this service. It appears that no one other than USA spent money in funding it.
epistasis 2 hours ago [-]
Why would other companies pay for it if they had never been asked?
Why would it be shut down without asking for others to fund it, if it's some sort of burden on the US?
Programs like this pay for themselves many times over. There are only two reasons for cutting this: absolute idiocy, or active sabotage of the US.
Don't bother; they're a brand new user trying to cause trouble
epistasis 2 hours ago [-]
In public spaces like this, though on the face of it the argument might appear to be with the toddler, it's also about batting down the idiocy and not letting it swamp out basic common sense and reason.
Bluesky has a different tact that also works: block and hide and don't engage. However in forums like HN, where earnestness and questions are so prevalent, leaving these baiting questions and statements unanswered instead leaves them as bastions of the mind rot. Because these toddler-level arguments are being repeated daily through propaganda channels all over the internet, and if they are never answered, the constant swarm of propaganda takes in even more people.
jl6 1 hours ago [-]
So is this going to instantly break a bunch of tools like Trivy?
rurban 4 hours ago [-]
So who will maintain it then? Either the EU or China I suppose. They can easily fund it.
Maybe the Dutch should go ahead.
lars_francke 3 hours ago [-]
ENISA in Europe has the mandate of building a EU vulnerability database for the NIS 2 directive anyway and it's coming soon...
So, parts of this are already in place and I assume this will be a big boost towards a new vulnerability ecosystem.
yawnxyz 5 hours ago [-]
I guess their new business model is to sell zero days to the highest bidder
alephnerd 5 hours ago [-]
The private sector zero day market collapsed last year with Zerodium - corporate bug bounties, nation states in-housing offensive security operations, and the democratization of knowhow destroyed the Zero Day market.
wengo314 51 minutes ago [-]
vibe coding could not have come at a worse moment.
cbondurant 3 hours ago [-]
Am I missing something or was this literally announced with less than 24 hours of warning that one of the critical components to the cyber security landscape was disappearing.
What the fuck are you supposed to do about this. This is something that should have had multiple MONTHS of warning in order to allow those who depend on the CVE infrastructure to plan what to do next with their security posture.
mrtesthah 2 hours ago [-]
Consider this part of the attack on the American infrastructure, economy, and society. Attacks do not abide by laws, official procedures, or come with warnings.
arghandugh 4 hours ago [-]
This industry relentlessly lionized Trump and Musk, elevating them to positions of power and handing them the power to destroy at will.
This is your moment! Enjoy it!
Gigachad 3 hours ago [-]
It’s astounding that the users here watched all the horrendous things going on and ignored them. But now the CVE numbers are gone it’s shocking and too far.
throitallaway 3 hours ago [-]
Come again? This is Hacker News, a heavily moderated forum with a narrow focus. We don't discuss Israel or El Salvador here (unless it's tech related.)
gortok 1 hours ago [-]
I would hope the folks that frequent HN would not be so insular as to only read what happens on HN and not read any other news source.
If you’ve somehow missed Trump’s systematic dismantling of academic freedom or his disappearing of folks he doesn’t like, then we have a far bigger problem than the limits of what is discussed on HN.
flanked-evergl 2 hours ago [-]
Please, this place has permeated with Trump rage since before he took office. The only way you could think he was ignored is to not have read any comments.
mmooss 4 hours ago [-]
> In a stunning development
Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.
You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)
This time they published Project 2025, telling you what they were going to do.
mcintyre1994 2 hours ago [-]
Project 2025 literally calls for dismantling the DHS. Seems pretty unsurprising that the CVE database wouldn’t be in the list of things they’d care to maintain in that process.
basemi 37 minutes ago [-]
For now, historical CVE records will be available at GitHub:
There are quite a few threads on hackernews that were cautiously optimistic about doge with, frankly, pretty naive libertarian takes about how the government works.
The government is not particular (in the sense of particularism) and cannot be easily tuned to fix particular problems; rather, its best solutions come through institutional procedure and design, such as the tension between the FAA and the NTSB that, at a first glance, would seem like obviously needless duplication and waste.
It is a broad, blunt, wasteful instrument to solve broad, blunt problems in a way that may not be the best but that work far, far better than alternatives that have been tried.
That the effort to treat government like a personal budget has ended up destroying important things is a sad inevitability of such efforts. I hope it goes remembered.
bslanej 21 minutes ago [-]
Just seeing HN mad like this makes things like these so much worth it.
rcarmo 43 minutes ago [-]
Now would be a great time for a major tech company to support them (or, even better, a consortium).
nodesocket 2 hours ago [-]
I’m betting CVE will get sponsored by a security company or Cloudflare.
I'm not sure, but the current article looks to have somewhat more information in it, so I've merged that thread hither instead.
nelox 3 hours ago [-]
Just what is needed with an adversary during and asymmetrical trade war.
outside1234 5 hours ago [-]
These four years are going to be the death of all of us.
Latty 1 hours ago [-]
I find it a little incredible people are still talking about "four years".
They tried to reject the election result and do a coup, and were rewarded for it by getting back into power. They are refusing to follow the law or the courts. They are sending people to gulags in foreign countries. All the checks and balances were destroyed last time. The party has been stripped of anyone who would fight the admin or reject this illegality. They have set up a power grab over elections.
There will not be free and fair elections in four years unless they are simply too incompetent to rig it, the rubicon was crossed long ago. Without mass protest that makes it impossible for them to hold power, American democracy is dead.
They have tried to do it, they say they want to do it, they have the ability to do it, they are actively doing it, and no one is stopping them. How are people still acting like in four years they are going to neatly hand over power to be prosecuted for their crimes?
SpicyLemonZest 36 minutes ago [-]
Organizing mass protests isn't something you do instead of organizing electoral opposition. Even in countries that haven't had fair elections for a while, people generally still organize opposition and talk about how they're going to vote. The best way to ensure your opponents retain power is to go around telling people it's too late and they've already won.
cantrecallmypwd 4 hours ago [-]
War with China and doing enough reprehensible acts to stoke protests to declare martial law to stay in power indefinitely.
throitallaway 4 hours ago [-]
I feel like we're only a few weeks away from someone "home grown" experiencing an "administrative error." The slide into madness continues.
gryfft 3 hours ago [-]
More like only a few days away, honestly.
wiseowise 2 hours ago [-]
Wait until they start a war against Albania.
throwaway984393 4 hours ago [-]
[dead]
insane_dreamer 3 hours ago [-]
CVE was anti-American woke.
No, more seriously, just like with shutting down NOAA services, it seems the goal is to:
1. cut services (we saved taxpayer money!!)
2. at some point later: oh, we actually need those services
3. pay <insert your favorite vendor here, preferably one connected to Musk> to provide the service (see! we don't need to pay gov employees!!) (fine print: the vendor costs 2-3x the original cost). But by then no one is looking at the spending numbers anymore.
Slick moves.
SirHumphrey 2 hours ago [-]
And here lies the problem. Even from a libertarian perspective DOGE is counterproductive because maintaining a system is much more cost effective than starting it anew.
Especially when you cut something recklessly, figure out in month that you need back that capability right now and have very little leverage to negotiate with private providers.
When you look at the last cutting effort in the Clinton administration the difference in jarring.
Combine that with the fact that with a few exceptions DOGE has been cutting the most cost effective programs (i can’t think of a better bang for buck science program than NOAA) it’s saved very little vs the amount of pain it has caused.
darkwater 57 minutes ago [-]
Heeeeey but he runs Tesla like this and it's an hyper-valued company!!!1! He cannot be wrong, he is a genius!!
xyst 4 hours ago [-]
Some companies are already clueless when it comes to CVE management. Probably won’t see the effects immediately but give it a few more years for new generation of vulns to be created/found and we will be back to early 2000s level security.
Open season on American corporations for domestic and foreign hackers.
If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.
Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.
Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?
This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.
9283409232 6 hours ago [-]
Reminds me of Trump's first term where he said if we stopped testing for Covid, we'd stop catching new cases and case numbers would go down. If you stop testing for vulnerabilities then vulnerabilities go down. Easy stuff.
goku12 4 hours ago [-]
That's exactly what they're saying about the HHS cuts and the measles outbreak.
flanked-evergl 2 hours ago [-]
What I don't get is why people make things up and then get angry at the thing they made up. Is there not enough real things to be angry at?
dboreham 5 hours ago [-]
So easy having the brain of a toddler.
bathtub365 5 hours ago [-]
Now the NSA can hoard more 0days and the general public suffers. Win win for this administration
goku12 4 hours ago [-]
It's more likely to boost the zero day black market. I don't know if I want to attribute this to idiocy (indiscriminate cost cutting), greed (contracts for their crony pals) or malice (hoarding and trading 0 days).
gryfft 3 hours ago [-]
¿Por qué no los tres?
markhahn 5 hours ago [-]
Trump stupidity hurts the country and world.
But maybe this is an opportunity to do CVE better.
cantrecallmypwd 4 hours ago [-]
> But maybe this is an opportunity to do CVE better.
Okay, how? This sounds like looking for lemonade in a genocide.
mjevans 5 hours ago [-]
Mr. President, Do you want China to get the reports instead, or do you want the NSA to have a lead time where the vuln's are useful tools?
mjevans 3 hours ago [-]
It seems phrasing it in the form of a joke was too much.
I was trying to convey (with levity/humor) WHY it should continue to be funded as well as the argument that should be made to the one currently in control of the spineless US Congress.
Yes, fixing the vulnerabilities is important. However what the government probably does gain from it is an inside advantage in the lead time for vulnerabilities to protect against, as well as to exploit on adversaries.
hsbauauvhabzb 5 hours ago [-]
If you /s/China/Russia/, when asking Trump, it’s no longer a rhetorical question.
delusional 3 hours ago [-]
Meh. It's not like I was going to ask the facist autocracy about my software vulnerabilities.
nurettin 4 hours ago [-]
Conservatives who depend on regular CVE updates for the security and livelihood of their company: don't do that!
DOGE: haha liberal tears
doodlecricket 34 minutes ago [-]
[dead]
curtisszmania 5 hours ago [-]
[dead]
wnevets 4 hours ago [-]
[flagged]
delfinom 5 hours ago [-]
[flagged]
thepaulmcbride 5 hours ago [-]
[flagged]
Galanwe 4 hours ago [-]
[flagged]
yieldcrv 4 hours ago [-]
if only there were 188 other countries and an entire private sector in each one that could fund this thing they are also affected by
porridgeraisin 2 hours ago [-]
Good. CVEs were the poster boy of goodharts law for the longest time. Most security vulnerabilities behind CVEs are utterly meaningless.
the_doctah 4 hours ago [-]
Why is the government responsible for CVEs again?
throitallaway 4 hours ago [-]
Every now and then the government decides to fund things. Public schools, roads, police, firemen, GPS, NOAA, cybersecurity, government cheese, etc.
sschueller 1 hours ago [-]
"the government" aka "We the people". It is in all our interest. This is like asking why the government is responsible for roads.
dingaling 57 minutes ago [-]
> This is like asking why the government is responsible for roads.
Thought experiment:
If roads were built by private companies, could a Government justify the expense maintaining a database of all the potholes?
Xelynega 2 minutes ago [-]
Yes, as it would be a public good to everyone to be able to know where the potholes(that aren't profitable to fix for these private companies apparently) are so they can avoid them.
They might take a step back and realize that it would be more cost-effective to just own the roads, in which case your thought experiment ends where we are, because where we are was a place reasoned to(to an extent).
skirge 47 minutes ago [-]
only one country pays but all benefit from it. It should be funded by all who benefit like UN.
Ferret7446 4 hours ago [-]
I don't see why this should be publicly funded, so I don't really see an issue with this. The industry benefits from having a CVE database, so the industry should fund it.
klysm 4 hours ago [-]
There are going to be all kinds of messed up incentives if this is funded from industry.
throitallaway 4 hours ago [-]
True, although Google's Project Zero seems to be run pretty well.
worthless-trash 2 hours ago [-]
Different goals, not cve related.
Ferret7446 2 hours ago [-]
Like what?
kristjansson 4 hours ago [-]
Because secure systems benefit the public generally, not just the corporations that make a profit operating those systems.
maronato 4 hours ago [-]
The industry won’t want to fund it. It’ll want to profit from it.
guhidalg 4 hours ago [-]
No, "the industry" is all of us alive in the 21st century who depend on software to make material decisions and to be resilient to attacks and tampering. We were all funding it, and now surely we will see some big tech company now assume responsibility from the federal government (please god don't let it be Oracle...)
skirge 48 minutes ago [-]
so "all" should pay, not only US taxpayers.
insane_dreamer 3 hours ago [-]
So you trust industry now?
Rendered at 08:00:30 GMT+0000 (Coordinated Universal Time) with Vercel.
Currently hosting costs are unclear, but it should be doable if we offer API access for like 5 bucks / month for private and 100 / month for corporate or similar.
Already did a backup of the NVD in the last couple hours, currently backing up the security trackers and OVAL feeds.
Gonna need some sleep now, it's morning again.
My project criteria:
- hosting within the EU
- must have a copyleft license (AGPL)
- must have open source backend and frontend
- dataset size is around 90-148 GB (compressed vs uncompressed)
- ideally an e.V. for managing funds and costs, so it can survive me
- already built my vulnerability scraper in Go, would contribute it under AGPL
- already built all schema parsers, would contribute them also under AGPL
- backend and frontend needs to be built
- would make it prerendered, so that cves can be static HTML files that can be hosted on a CDN
- needs submission/PoC/advisory web forms and database/workflow for it
- data is accumulated into a JSON format (sources are mixed non standard formats for each security tracker. Enterprise distros use odata or oval for the most parts)
If you are interested, write me on linkedin.com/in/cookiengineer or here.
Off topic: your username is very appropriate given the situation.
Indeed. Just as Germany knew their economy is vulnerable to Russian gas and did nothing about it, even after the 2014 invasion of Crimea.
I never EVER, saw politicians act proactively for the good of the nation or the people, all they do is act reactively after the shit hits the fan to control public opinion, help their monopoly friends in the private sector and make sure they get re-elected, that's it.
Once you realize our rulers aren't competent at their jobs or acting in our best interest it all makes sense. They're in it for the grift.
I cannot believe I am typing that second sentence, but here we are.
According to which rule would "owning by the EU" result in an option to immigrate? Immigration is handled on a per country basis. I don't see how the EU provide such an option.
The EU has agreed upon programs in order to bring in, through an immigration policy, high skilled persons from non-member states. More importantly, working within the member nations, as to which member nation would want MITRE to be located within their borders, is not something that is a hard sell given that it has economic advantages for whichever state(s) onboard MITRE.
>The POTUS transferred our cyber defenses to the EU
Ouch
There’s nothing wrong with normal GPL.
You can stay out of politics, but politics will always come and find you.
But I would not consider it a political statement to adopt this policy.
People who say "I'm not political" are deflecting to avoid conflict
That's what makes working democracies successful. But it seems that it also makes democracies vulnerable because people don't realize they have these benefits because they live in a working democracy. They start to think these benefits have nothing to do with politics and are just the way things are, like the laws of nature.
A great truth. Even isolating yourself from society like a hermit is still a political decision: you are rejecting society as it is, and prefer to live in your own solo society. That's politics.
Appealing to "well everything is connected" I'm not sure is useful. It's interesting from a semantics perspective the first few times you come across it maybe, then swaps around into being plain frustrating, then lands on just missing the point.
Finally, I think people who want to stay out of said party political meta I think are doing a pretty big favor to their mental health, and I really can't fault them one bit for it. No coincidence either.
Disaffection lends itself easily to creating a Russia-style society. This all feels pretty Dugin-esque, and his proposition (return to values, reject interest/hope in politics because it is always flawed anyway, bind together under the state) fits perfectly, and is finding prominence at the perfect time.
Not 100% sure what I wanted to say, maybe that said politics (and the political as a whole) wouldn't have invaded almost our entire lives without the help of technology.
People are not dumb. They know that politics is everywhere but they want to live and love and talk about things that are interesting.
No, it's just recognising that it is silly to talk about politics, as certain views are just downvoted.
Seemingly MITRE hasn't been advised yet whether the option to extend the contract from 2025-04-16 to 2026-04-16 will be executed. And there doesn't appear to be any other publicly listed approach to market for a replacement contract.
[1] https://www.fpds.gov/ezsearch/jsp/viewLinkController.jsp?age...
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
Mostly discriminately, tbh.
If I'm giving them the benefit of the doubt (which I hate), it's a shotgun approach; cut things relentlessly and see what falls apart. Chaos engineering applied to a country and / or the world.
https://en.m.wikipedia.org/wiki/Wunderkind_(disambiguation)
“Wunderkind” mispronounced as “Wonder Kid” is a running joke in that show.
https://www.reddit.com/r/TedLasso/comments/132rw9v/what_the_...
Other example includes: Endgegner (final boss) or Endlösung (final solution)
I would suggest to avoid such terms.
I did not know about this, thanks for die Vorwarnung. In context, I'd assume "ultimate enemy" (Gegner=opponent) as "final boss" sounds videogame.
https://www.openculture.com/2016/12/when-ayn-rand-collected-...
One of her wonderful worldviews was to rejects altruism as a moral imperative, arguing that individuals should live for their own rational self-interest. Social security, based on the idea of supporting others, contradicts this principle.
Which means anyone whose wisdom matches their self-interest is going to understand that different things have very different efficiencies at different scales.
And some things happen to be dramatically more efficient/person and more effective, the larger the scale they can be coordinated at.
This exactly. All of these people who profess to believe in objectivism could easily move to a failed state and do anything they want to with zero government intervention. But they don't do that. They want all of the benefits of a working government with none of the things required to actually create a working government.
[0] https://www.404media.co/anyone-can-push-updates-to-the-doge-...
[1] https://www.npr.org/2025/04/15/nx-s1-5355895/doge-musk-nlrb-...
[2] https://www.bloomberg.com/news/articles/2025-03-14/doge-staf...
The DOGE crew are incompetent. Witness their firing of all the people who look after the nuclear stockpile and Ebola research.
Unfortunately “capitalism” has two quite different meanings. Which are rarely clarified in use.
Capitalism with a big C, a too common overarching ideology, gets bent to mean whatever the greedy, unethical and rich want it to mean so they can get more money.
But small c capitalism, evolving from both practical and ethical foundations, is a system so useful it has multiplied the benefits of civilization. But it is just one such system.
It can’t do everything, it needs other independent systems (justice, dispute resolution, rules of clarity, risk & trust limiting systems, for starters) to work, and extending it to places it doesn’t work causes great harm.
(Like when perversely applied to those enabling systems, in big C form, as is happening now.)
Indeed.
Most of vulns will go unaddressed because company like palantir will most likely want only really good vulns like 0-click RCE.
When the citizens realise this, the structures to clamp down any revolution will be in place.
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
What leverage do you have for the DOGE boys? What power? Resigning? Because on the Defense side of the government the best leverage that some teams have found is mass resignation, meaning that nothing happens.
There is no negotiating with bullies, it merely breeds more concessions.
DOGE follows Trump's direction and acts on his behalf, as you must know. They make a big deal out of DOGE so Trump's name is less attached to these actions. Then they can take much of the blame with them when they go away, with Trump and the GOP blaming them for 'excesses'.
> Trump is not going to negotiate anything here, that's ridiculous.
> What leverage do you have for the DOGE boys?
You don't understand how negotiations work. Everyone has interests, strengths and weaknesses, and power. You need to make it in Trump's interest to keep the CVE program.
Everyone saying they are helpless, and that anything else is ridiculous, are panicking. Very unfortunately - dangerously - many people legitimize the panic. It's so normalized that it's "ridiculous" not to panic.
Every day you continue this behavior, you fall further and further behind and lead others in that direction. Will you wake up in time?
The amount of disrespect you have shown for someone that is just telling you 99% of federal workers have absolutely no leverage says a lot.
This guy is ~80 years old and bragged about "person, woman, man, camera, TV." He recently got into a Tesler and exclaimed "everything's computer!" Have you seen the way his aids explain executive orders to him (like a child) before he signs them?
He doesn't have the foggiest notion of comprehension of what the CVE program is, or how it would benefit him. Unless you're greasing his wheels, it's not going to happen.
one it costs the us and is needed by everyone, so he thinks but paying it someone will pick it up and then the us will be the free loader.
second, he understands that helps he and his pals wash dirty money.
Do you mean things like handsfull of like-minded countries selling t-bonds? No one in the R party has any leverage, and it's not clear that even a few US billionaires could exert any influence.
Do you really think Trump has ever heard of "CVE" or could comprehend them?
I'm going to be to the point here, if you guys over there don't start to heavily push and organise, and I said it already, you're one Reichstag fire away from something very bad, and from my point of view, there is probably one kristallnacht pending in the mix.
This is not a hyperbole and if someone wonders why this has relevance to the discussions, in this case most of the people around here are blue team, and it does feel like the red team has already taken anything that wasn't attached and now taking the time to take what's bolted on...
I guess the silver lining of all this, is in their hubris, they forgot the bread and games motto, so they're might still be a chance to turn things around somewhat... But the window is closing at an impressive speed.
The rest of the world is mostly against Trump.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
When someone hands you a pencil, you don't wonder what variety of tree the wood came from, or what paint chemistry was used for the coating. It's a pencil. You might have broad opinions on whether the one in your hand is comfortable to use, and sharp - but you leave the details to the pencil makers.
About 70% of the population engage with politics the same way: Leave the details to the people who do this stuff for a living.
Do they expect to be disappointed? Sure, but everyone who engages with politics expects to be disappointed.
This is actually simply not true. The Republican party before the Tea Party looked nothing at all like this. Trump won the presidency last year riding a wave of distinctly not-your-typical-Republican lower class voters. As he rose the old guard Republican establishment formed the anti-Trump wing of the party until they were forced out one by one.
To put some numbers to this: Bush won the upper income brackets by 5+ points in 2000, with a lead that widened as you went up the income ladder. Trump lost the equivalent brackets in 2024 by 5+ points, a 10 point swing away from what Bush won them by. The lower brackets are even more stark, with a whopping 18-point swing towards Trump in the $30k-$50k bracket (inflation adjusted to $15k-$30k).
These numbers show that Trump is not a Republican in the George W Bush sense and he's certainly not a Republican in the Ronald Reagan sense. He's a populist and won on a populist agenda by putting together a coalition of rabid social conservatives (who probably really did go Bush in 2000) and poor people (who largely did not).
They voted for the leopards to eat other people’s faces, not their’s.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
[0] https://www.project2025.observer/
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
They voted for others to be hurt and to lose benefits, not their “in group.” Surprise surprise, they are considered the waste by those they voted for.
Trump in Nevada: 'I Love the Poorly Educated' https://www.youtube.com/watch?v=Vpdt7omPoa0
Take DOGE cutting funding to the Mitr Gender Conversion Clinic in Hyderabad, India as an example. The haven't taken control of the clinic, they're not telling them what to do or not to do, they're simply not funding it anymore. If the clinic closes it's because nobody except the previous administration wanted it. There is no reason we should be forcing gender change clinics on people in India; if they want to support it, they should purchase the service themselves.
DOGE has been about fighting corruption and reducing wasteful spending, and that's what America voted for. "Taking control" would be using government funding to support pro-abortion political groups, undoing this control would be fighting corruption.
It absolutely staggers me that anyone can still say this with a straight face. I will ask this, though: as part of the DOGE fight against corruption and wasteful spending how many of Elon Musk's government contracts and subsidies have been cut?
The Moving Goal Posts in Musk’s DOGE Cuts: Why Elon Musk and his team have struggled to make the spending cuts they promised - https://www.nytimes.com/2025/04/14/us/politics/elon-musk-dog... | https://archive.today/GPDNY - April 14th, 2025
Elon Musk dramatically lowers his DOGE spending cut targets (again) - https://www.msnbc.com/rachel-maddow-show/maddowblog/elon-mus... - April 11th, 2025
See How Government Spending Is Up Even as Musk Touts Savings: Musk team’s $150 billion in savings barely dents $6.8 trillion in spending largely on autopilot, WSJ analysis finds - https://www.wsj.com/politics/policy/trump-doge-government-sp... | https://archive.today/DGGhX - April 11th, 2025
"A system’s function or purpose is not necessarily spoken, written, or expressed explicitly, except through the operation of the system. The best way to deduce the system’s purpose is to watch for a while to see how the system behaves. Purposes are deduced from behavior, not from rhetoric or stated goals.” —- Donella Meadows
1. Politically-motivated "purge the weak" Nazi stuff - Cutting Medicare, cutting Medicaid, cutting Social Security, cutting education, cutting anything that benefits people who are old, poor, queer, female, etc.
2. Privatization - NWS and NOAA are wonderful public services, and they'd rather profit from the data they produce. This is why taxes in the US are such a bitch to file, tax companies oppose any policy change that would make the paperwork easier for filers.
3. They might actually be Russian assets. Tearing down institutions that took generations to build makes space in the world for Russia to exert more influence. You can tell this is working because Europe is now wanting to re-arm.
It makes me sad. If I had a billion dollars I would still want to live in a better country. These guys only want a better world for themselves, and making everyone else into a permanent servant underclass only plays into that.
All of this is criminal behavior on the the current regime.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
For instance, most people find healthcare middlemen (pharmacy benefit managers, etc) to be grotesque parasites. But to a laissez-faire fundamentalist, they're smart for finding a way to liberate some profit, even laudable.
(Leaving aside that there's plenty of evidence of malice here.)
But, having known about it for a dozen years now, I also find it inadequate alone as a razor without the following caveats/corollaries:
Hubbard's corollary to Hanlon's Razor: "Never attribute to malice or stupidity that which can be explained by moderately rational individuals following incentives in a complex system". ( https://en.m.wikipedia.org/wiki/Hanlon's_razor#Exceptions )
Or (HN) Nerdponx's punchier simplification: "When money is at stake, never attribute to incompetence what could be attributed to greed." ( https://news.ycombinator.com/item?id=41066724 )
A large amount of things related to Trump fall into that category, and it's important to recognize when you need to instead treat it as a superposition: It is both malice and incompetence, unless the perpetrators decide to plead just one or the other.
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
This sucks, plain and simple.
A lot of people seemed to have had this theory, despite all the evidence to the contrary.
Hopefully these 4 years energize people to vote. I know protesting and direct action and so on are also important, but the gradient is not negative for voting for every office you can vote for in every election.
For example, a lot of people have forgotten, but the phrase "fake news" originally came about in the wake of the 2016 election about all the (actually false) misinformation that was spread on social media in the run up to the election. Trump adeptly then co-opted the term, so any news he didn't like he could just call it "fake news", and who was to say any news he called fake was any less fake than what people were calling fake before?
My guess is the 2028 elections will be marked by fraud, and then when people protest or object, Trump and the Republicans will just say "Hey, you called all those Jan 6 protesters traitors and said the election was secure, how is now any different? Now you're all the traitors."
The only belief that gives me hope these days is "History will judge the complicit."
You are assuming there will be next elections that are free, fair, and matter.
Trump says a lot of things that ultimately doesn't matter, but he has also said, and is the type of brute to believe it, that he intends to stay in power. He and his cronies have successfully dismantled the checks and balances that should have prevented him from doing they, legally. IMO the only way he leaves the White House without stirring trouble is in a casket.
The chasm between what Trump says (and what the propaganda says about him) and what he actually does is astounding. Most of his fans are completely uninformed of what he says and does. We've never had a president (and cabinet) with more conflicts of interest. He's been a pioneer at abusing power; tariffs on Canada because of a fentanyl crisis... give me a break!
Trump is a literal billionaire. How is him telling the sons of people who used to do manufacturing that they're okay any better than a Harvard educated lawyer saying he feels for them (Trump and Vance are both Ivy League educated, btw)?
I also want Americans to have a better life. I also think we spend way too much elsewhere instead of at home. A lot of Democrats think that and drive policies for that. Trump may care about that too, but you can't vote for who makes you feel good. You have to learn how to vote for who will actually improve your life. We are the rulers of America, we have to understand our economy, our government, etc. No one is going to do it for us. I'd much rather vote for someone who talks down to me and will deliver stability than a guy who hypes me up and tanks the economy
Yeah, apparently they want some billionaire who doesn't pay his taxes, who was given millions by his daddy, and who famously stiffed small business contractors at his buildings, to say he feels their pain.
That said, I actually upvoted your comment because right now it's heavily downvoted but I actually think there is an important point behind your comment. It may feel insane to me, but Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people). Trump understood this, the Democrats didn't, or worse, branded anyone who harbored some of this anger as a bigot. This is basically how all fascist leaders come to power - the parallels with Mussolini are uncanny, right down to having a minor body part shot off in an assassination attempt.
Relevant recent example to me: a lot of folks can't understand the hypocrisy about bitching about inflation under Biden, but then saying "we'll hunker down" in response to the expected inflation from tariffs. The difference is the Trump base believes he is taking them "back to the promised land", and for better or worse Trump is definitely a man of action, so they're more willing to put up with temporary hardships if they think the direction is right. With Biden and the Dems, they just believe they'll get more of the "slow slide."
I agree. And they're not wrong to want to go back or blame someone. We can "go back" in terms of increasing the QoL of our populace. Idk, the Democrats were always clear about wanting to uplift people. Obamacare and Medicare for All were extremely clear policy positions meant to uplift the common man. Eliminating student debt (a policy I don't agree with) was also obviously positioned to help people improve their economic and social standing.
I don't know why people say Democrats missed this and Trump saw it? The Democrats won on slogans that capitalized exactly this sentiment. Obama's "Hope" and "Yes we can" are obviously in a context where people didn't have hope or questioned whether we could.
I think he just got lucky against bad candidates, and we ascribe way too much to his branding and the other garbage. Clinton's branding was about HER (i.e. I'm with her), not about THE PEOPLE (biggest political branding mistake in the 21st century imo). And Harris never had the popularity to go to to toe with Trump.
Idk, I think people are mad, but I think the Democrats have spoken to that more authentically and proven themselves to actually do things that help the common man than Trump ever has
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
So, most businesses. They all need their ISO/NIST/HIPAA/etc certs.
There are far too many bad actors for us to operate as an industry with no yardstick.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
its all just surface-level box-checking. most companies required to get 'penetration tests' just get an overpriced Nessus scan sold as a pentest and that meets their reqs.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
https://fiscaldata.treasury.gov/americas-finance-guide/natio...
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
https://www.crfb.org/blogs/interest-costs-have-nearly-triple...
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
What a shame on this current gov. administration, if you can even call it that.
CVE is simply identification of a flaw, not a scoring system.
Absolutely. And if the headline was "DHS proposes improvements and streamlining to the CVE program" we'd all probably be cheering.
Leaping from "This is Flawed" to "Let's kill This" is a logical fallacy. A flawed security registry is clearly better than no security registry.
In honesty to say "logical fallacy" is spoddy, I advise against for aesthetic reason.
All this does is help Putin and other rich grifters.
It's because it's like if someone had forgotten to validate the user's role in an endpoint in a Django app, and someone said that they should have used Rails because it's easier to understand. In reality both are easy enough to understand to be able to do an authorization check, and the framework isn't the issue. So the person suggesting Rails is bikeshedding.
Likewise, if someone made another vulnerability database it would likely have the same issue, and this isn't really the place to solve it. If somehow this does trigger the realization to solve it, then it will be by luck.
April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...
Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
Edit_1: found a proposed bill, April 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
MITRE CVE/CWE contract, $29M for 2024-2025, https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018...
The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.
Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!
May 2024, https://therecord.media/nist-database-backlog-growing-vulnch...
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
The second VulnCon event took place last week and no silver bullet has appeared, https://ygreky.com/2025/04/vulncon-2025-impressions/
That article is about how the volume of software vulnerabilities are increasing, resulting in difficulty keeping up by the CVE and NVD projects.
Please stop spamming this thread with political spin.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
People who actually work with CVEs have been posting about this problem on HN for 18 months.
If you still have a cached copy of their original post you should publicly edit your earliest reply with their original quote.
NIST budget was cut 12% in FY 2024 (Oct 2023 - Sep 2024).
An earlier bill to supplement NIST funding has been reintroduced in 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...
Companies can definitely fund it. But to be fair the gov, including NIST, also relies on CVE.
https://www.computerhope.com/jargon/l/layer8.htm
There were 65,000 cases of salmonellosis in the EU in the most recent data I could find (2022). Thats a lower per capita rate than the US, but definitely not zero.
Being 26 times less worried about something translates, at least for most things, for me, to not being worried about it any more.
According to https://pmc.ncbi.nlm.nih.gov/articles/PMC11945640/ most of the outbreaks in humans (where exact cause was found) were caused by foreign vegetables.
On other hand countries like Italy find positive samples from 27% of their flocks ( https://efsa.onlinelibrary.wiley.com/doi/epdf/10.2903/j.efsa... ). USA doesn't do testing at that level as far I understand, I only found that 8% of the tested chicken parts have salmonella (https://www.propublica.org/article/salmonella-chicken-usda-f...).
https://www.npr.org/sections/shots-health-news/2025/04/15/nx...
https://www.npr.org/sections/shots-health-news/2025/04/15/nx...
This is one of those things the government does for the benefit of the whole.
Multi-trillion-dollar companies benefit from and contribute to this system, surely they can spare 0.01% of their revenue to this bit of critical infrastruture?
They would, if we made companies pay their taxes.
Yes, you can also run such a system based on donations. But I personally think that such a system is important enough to be paid for by the government. When you run on donations, there will always be conflicts of interest and the risk of running out of funds.
But yeah, Mitre being a private organization that was paid for by the government was a problem.
A funding shortfall and strain isn't a funding cut. And from what I see there was a funding increase.
2025 article claims 30% increase in 2024 workload, https://www.securityweek.com/mitre-signals-potential-cve-pro...
> According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
2023
> CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued
2024
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025
Assuming that's spread over both years it wasn't as big of an increase as I said, but is still an increase even inflation adjusted.
> 2025 article claims 30% increase in 2024 workload
Underfunding in the face of more workload isn't itself a funding cut.
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.”
Did NVD receive 300MM annual funding pre-2024? That would be a 98% funding cut.
MITRE CVE/CWE budget is more transparent than NVD since it's a contract, listed on USAspending.gov.
This isn't just a rapid disassembly of economic structures, any trust and goodwill is completely obliterated as well.
Now if you want that (even just funding) to be a thing ... you have to go through Trump & Co and pay your bribe to get it back up.
Tragedy of the commons - NVD and the CVE project havr been backlogged and facing funding issues for a couple years now, and most security vendors are either cagey about providing vulns in a timely manner (as it can reduce their own comparative advantage), or try upsell their own alternative risk prioritization scores.
Every company will gladly use NVD and CVE data, but no one wants to subsidize it and help a competitor, especially in an industry as competitive as cybersecurity.
Why? This administration is not acting in good faith, you don't have to act as if they are. People and institutions doing that is part of how we got here in the first place.
Surely there's an antibody response.
Why? The decisions are pretty well politically aligned with the ideology which detests the size and scope of the government (realistically, those aspects which the ideologues feel are not in their interest). What is unexpected is the swiftness and the brutality of action, but revolutions tend to be messy, and make no mistake, this is a revolution.
> This is the actions of a foreign bad actor
Now this sounds like a coping strategy: everything is so preposterous it couldn't possibly be homegrown. Foreign influence and underhanded actions are as old as human interactions, but IMO outright plants can't succeed without a massive economic and power asymmetry between the adversaries.
The entire world seems to be able to 'cope' with that assessment.
Trump's actions towards Putin are highly irrational. Maybe he's being blackmailed, maybe he's being bought, maybe he just has likes Putins style but there is a reason people suspect him despite it being unlikely in the general case.
As you say, that's exactly what got us here. But the alternatives are very unclear, and seem deeply unpleasant.
If the steelmanning fails then you can you can be even more confident that it is in bad faith.
> Why?
It's a sensible practice and good practice
In reality this would never happen so all these people playing steelman are just detached/insulated.
Still shortsighted and stupid, but it's plausible this is intended as leverage to get someone else to pony up.
https://usafacts.org/government-spending/
The issue we have is that republican every chance they get since the 1970s have cut taxes. And then blamed democrats for causing the deficits. We don't need smaller governments. We need a reasonable tax system that taxes people. It can be progressive like it was before we decided rich people just need it easier than poor people.
Yes, I will pay more taxes sign me up, especially if they can finally fix the roads and fund research. The problem is my taxes as a middle-class person go up and rich people get a tax cut. It's stupid. I like water provided by government utilities, I like planes that don't crash into stuff because there are air traffic controllers. These things used to work because we paid for them. When you buy cheap you get cheap.
The “CVE program” can be done by a volunteer or two in spare time. It’s not some major operation, it’s just a registry of integers that can live on GitHub.
The world needs more volunteers like you.
I think it's a testament to the previous stewardship that it appears so simple.
https://lwn.net/Articles/851849/
Step 1: Post discreetly to a forum with minimal information and an absurdly short deadline
Step 2: Phone your friend, the former board member, to make your case on LinkedIn
Step 3: Ring up a friendly journalist and give them a tip
Step 4: Reference the insuing chaos as justification for keeping your project funded
Note that the article carefully avoids pinning the blame on DOGE or the Whitehouse while heavily implying it. MITRE is technically a private entity, albeit a non-profit. And the very last paragraph of the article states:
> A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program… Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
To be clear, the point isn't to say that the CVE program isn't valuable, nor is it to say that it's good for a shenanigan like this to be necessary.
The point is that, unless you're directly involved in this subject (not impacted—involved), it's probably best to maintain a "wait and see" attitude rather than succumb to catastrophizing this news.
I guess it's one of those things you never think about until it goes wrong.
The world would do well to move this kind of stuff out of the US quickly, just like ICANN and stuff.
> Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.
If I'm developing a product built on 20 libraries, it won't just be a matter of scanning CVEs for major vulnerabilities any more, so I'm more likely to miss one.
"always update" doesn't always work, when to manage a product you realistically have to version pin.
I would imagine the only SANE option would be some kind of git repository where CNA's can collaborate. Probably run some code across to make the website that people can easily access.
It's going to be a mess.
This is dangerously stupid.
The US isn't supporting it out of charity, it's good for US businesses to have someone coordinating this for everyone. Why would we want to rely on other countries to be supporting our tech sector? At least now we are subject to only the capricious whims of our own government, as little comfort as that is right now (if another country was funding it we would be relying on the whims of a foreign government, which isn't ideal when tech is the golden goose of your modern economy).
The funding requirements can't be that high and I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
Up until recently CVE was very centralized and only in the last few years have there been steps in more decentralization with CNAs taking more responsibility, Red Hat as a CNA of last-resort etc. So, the cost of doing all of this work has already been shifted partially (!) away from the US but I have not seen any movement towards e.g. moving the program to a foundation which could have been done.
Personally I would conclude that it was the responsibility of the US to pay for this because they wanted to and it was in their best interest to control this program.
And perhaps if there had been more than a days notice, some consortium could be pulled together, but who's going to pay? Why would private companies do this, how do they profit? CVE program was the roads that everybody could drive on.
The basic lack of understanding of how the world works is killing the US. Why do people think we have such a massive GDP? Where do people think that comes from? We've given control of everything in society over to our dumbest and greediest members that have no clue about how anything works.
> I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
In my opinion it's mostly the industry needing to adapt to a new setup that needs to happen. It was just "easy" to rely on what's already there. A lot of company policies need to be adapted etc.
Now of course USA is ceasing (voluntarily, by stripping down every international soft power effector in government) to be a superpower, to the great glee of dictators all around the world.
The "we can't afford being great" is a direct admission that USA is no longer a superpower. And is not going to become great again, just another nation again (at whims of China).
It was to the advantage of the US and allies to coordinate and lead in tracking and fixing such errors.
Multiple countries, companies, and individuals contributed finding and fixing bugs.
The administrative task of keeping track was one part of a greater picture, a part that came with first to be advised and other perks.
It's not that the US had a responsibility to take on the lead admin task, more that in past times the US saw an advantage to being at the centre of global action.
This is just another part of increasing US isolationism.
From what I understand of the article, none of these allies were funding it.
> Multiple countries, companies, and individuals contributed finding and fixing bugs.
Clearly that itself isn't enough. Someone has to pay for maintaining this service. It appears that no one other than USA spent money in funding it.
Why would it be shut down without asking for others to fund it, if it's some sort of burden on the US?
Programs like this pay for themselves many times over. There are only two reasons for cutting this: absolute idiocy, or active sabotage of the US.
Don't bother; they're a brand new user trying to cause trouble
Bluesky has a different tact that also works: block and hide and don't engage. However in forums like HN, where earnestness and questions are so prevalent, leaving these baiting questions and statements unanswered instead leaves them as bastions of the mind rot. Because these toddler-level arguments are being repeated daily through propaganda channels all over the internet, and if they are never answered, the constant swarm of propaganda takes in even more people.
Maybe the Dutch should go ahead.
And CIRCL in Luxembourg are providing vulnerability-lookup which can also assign IDs but in a more decentralized way: https://www.vulnerability-lookup.org/documentation/
VulnerableCode can help with discovery etc. https://vulnerablecode.readthedocs.io/en/latest/introduction...
So, parts of this are already in place and I assume this will be a big boost towards a new vulnerability ecosystem.
What the fuck are you supposed to do about this. This is something that should have had multiple MONTHS of warning in order to allow those who depend on the CVE infrastructure to plan what to do next with their security posture.
This is your moment! Enjoy it!
If you’ve somehow missed Trump’s systematic dismantling of academic freedom or his disappearing of folks he doesn’t like, then we have a far bigger problem than the limits of what is discussed on HN.
Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.
You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)
This time they published Project 2025, telling you what they were going to do.
https://github.com/CVEProject
The government is not particular (in the sense of particularism) and cannot be easily tuned to fix particular problems; rather, its best solutions come through institutional procedure and design, such as the tension between the FAA and the NTSB that, at a first glance, would seem like obviously needless duplication and waste.
It is a broad, blunt, wasteful instrument to solve broad, blunt problems in a way that may not be the best but that work far, far better than alternatives that have been tried.
That the effort to treat government like a personal budget has ended up destroying important things is a sad inevitability of such efforts. I hope it goes remembered.
They tried to reject the election result and do a coup, and were rewarded for it by getting back into power. They are refusing to follow the law or the courts. They are sending people to gulags in foreign countries. All the checks and balances were destroyed last time. The party has been stripped of anyone who would fight the admin or reject this illegality. They have set up a power grab over elections.
There will not be free and fair elections in four years unless they are simply too incompetent to rig it, the rubicon was crossed long ago. Without mass protest that makes it impossible for them to hold power, American democracy is dead.
They have tried to do it, they say they want to do it, they have the ability to do it, they are actively doing it, and no one is stopping them. How are people still acting like in four years they are going to neatly hand over power to be prosecuted for their crimes?
No, more seriously, just like with shutting down NOAA services, it seems the goal is to:
1. cut services (we saved taxpayer money!!)
2. at some point later: oh, we actually need those services
3. pay <insert your favorite vendor here, preferably one connected to Musk> to provide the service (see! we don't need to pay gov employees!!) (fine print: the vendor costs 2-3x the original cost). But by then no one is looking at the spending numbers anymore.
Slick moves.
Especially when you cut something recklessly, figure out in month that you need back that capability right now and have very little leverage to negotiate with private providers.
When you look at the last cutting effort in the Clinton administration the difference in jarring.
Combine that with the fact that with a few exceptions DOGE has been cutting the most cost effective programs (i can’t think of a better bang for buck science program than NOAA) it’s saved very little vs the amount of pain it has caused.
Open season on American corporations for domestic and foreign hackers.
If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.
Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.
Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?
This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.
But maybe this is an opportunity to do CVE better.
Okay, how? This sounds like looking for lemonade in a genocide.
I was trying to convey (with levity/humor) WHY it should continue to be funded as well as the argument that should be made to the one currently in control of the spineless US Congress.
Yes, fixing the vulnerabilities is important. However what the government probably does gain from it is an inside advantage in the lead time for vulnerabilities to protect against, as well as to exploit on adversaries.
DOGE: haha liberal tears
Thought experiment:
If roads were built by private companies, could a Government justify the expense maintaining a database of all the potholes?
They might take a step back and realize that it would be more cost-effective to just own the roads, in which case your thought experiment ends where we are, because where we are was a place reasoned to(to an extent).