After the United States government decided to cut funding for the centralized Common Vulnerabilities and Exposures (CVE) database of product security flaws starting Wednesday, it could have some implications for the safety of our beloved smartphones.
Indeed, the 25-year-old CVE program has had a massive role in vulnerability management, having overseen the assignment and organization of unique CVE ID numbers for better coordination in terms of particular flaws and patches, according to a report published by The Register on April 16.
For instance, some of these codes included CVE-2014-0160 in OpenSSL’s Heartbleed exploit and CVE-2017-5754 in Intel’s Meltdown memory-leaking design flaw, allowing everyone, researchers, developers, small and big companies alike, to know exactly which issues they’re talking about and what they mean.
In other words, when an individual researcher or organization finds a vulnerability, a CVE program partner assigns it a unique CVE identifier to make sure everyone is working on that particular problem and there are no misunderstandings.
Recently, the US Department of Homeland Security, specifically its Cybersecurity and Infrastructure Security Agency (CISA), which is the sponsor and largest funder of the program, has abruptly decided to pull its funding for the service. According to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, it isn’t good:
“Before CVEs, each company referred to vulnerabilities using their own vernacular. (…) Customers were confused about whether they were protected or impacted from a particular bug. And that was a time when there were much fewer companies and infinitely fewer bugs.”
As Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s vulnerability disclosure program, explained, “CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk.” As she added:
“All industries worldwide depend on the CVE program to keep their head above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills.”
What the end of the crucial Android security program brings
Now, if you’re an owner of a device that might be vulnerable to bugs (as most of them are), especially an Android smartphone, you might be in particular danger as Google’s monthly Android security bulletins might face delays, confusion, and reduced clarity.
As it happens, these bulletins have so far provided updates that fixed bugs and security issues on Android devices, communicating these updates across hundreds of Android devices and partners. Without a standardized central system that is CVE, Android phone makers would need to develop their own method for keeping track of and fixing vulnerabilities.
Still, this doesn’t necessarily mean that Android (or other) users will be left to fend for themselves, as Google (or someone else) could step in and create a system to replace CVEs, develop a new database, or even the US government might change its mind about the issue (it wouldn’t be the first time).
Meanwhile, historical CVE records will stay on GitHub, but it could be a difficult transition period before the digital and cybersecurity sphere finds an appropriate solution, as the end of funding for the program would mean its effective closure. Nonetheless, hope remains that someone, somewhere, will resolve this quickly.
Elsewhere, TechGaged.com data suggests that nearly half of all companies have identified cybersecurity as the top use case for artificial intelligence (AI) in 2025, outpacing cloud computing and robotics as the most critical technology in driving innovation for the third year in a row.
ReadNext
