[tlogan]

My guess is that they’ll be phased out next year. The long-term goal seems to be transitioning the CVE program into something more like an industry-led consortium. (If you did not notice they operate zero budgeting approach: cut everything and if something is very important reverse it. But you cut first and then ask questions.)

It’s worth noting that MITRE is a DoD contractor (with minor contracts from other agencies like this one). Having the CVE program operated by a company funded by the U.S. military raises valid concerns about conflicts of interest—especially in an ecosystem that depends on neutrality and global trust.

[nxobject]

I’m a little hesitant to trust a CVE database operated by private industry on the grounds of conflict of interest for that reason, too.

[tylermw]

MITRE is a Federally Funded Research and Development Center (FFRDC), which is a distinct type of federal contractor with strict conflict of interest regulations. They are owned by the federal government, but operated by contractors and are specifically structured and regulated to minimize conflicts of interest, so are distinct from "private industry" in many regards.

You can read a congressional report by the CRS describing FFRDCs and their role here: https://www.congress.gov/crs-product/R44629.

[stonogo]

MITRE is absolutely not an FFRDC. It's a regular old 501(c)(3) which happens to manage FFRDCs.

[tylermw]

Yes, you are correct, I should have typed "runs". But the point is that MITRE runs the U.S. National Cybersecurity FFRDC that maintains the CVE system, and FFRDCs are deliberately structured to minimize potential conflicts of interest (GP comment) and are definitely distinct from private industry (parent comment).

[guerrilla]

They were talking about AFTER that when it is privatized. That's what the comment they're responding to was talking about, not it's current state.

[ThinkBeat]

I am quite hesitant to trust the DOD to keep track of software vulnerabilities. Some parts are developing and exploiting vulnerabilities. And given a fresh feed of what people find, and usually a delay from notification until publication, which may sometimes just be a bit longer of a delay, would allow the DOD to weaponize the vulnerability for their own use as well.

[derektank]

This contract is funded by CISA, which is an agency within the Department of Homeland Security, not DoD. As far as I'm aware, there are no components of DHS with Title 10 or Title 50 authorities to conduct cyber operations, unless you count the Coast Guard but they normally operate under Title 14. So there really should be no conflicts of interest as no one in the DHS is authorized to exploit vulnerabilities as part of cyber operations.

[ygjb]

This illustrates a misunderstanding of how CVE functions. It's a repository of data about disclosed vulnerabilities (even if some disclosures are embargoed and not yet published - if anyone but the bughunter and dev team that owns the fix knows about it, it's disclosed :P). The actual vulnerability discovery process is external and done by individual researchers, teams and businesses who report vulnerabilities to the appropriate groups called CVE numbering authorities (CNA) who manage the assignment and publication of CVE data through their scopes. There is not much technical advantage in terms of advance disclosure since the CNA controls what data goes to CVE.

As an example, a CNA like Mozilla, Apple, or Microsoft is unlikely to disclose vulnerability data via CVE until they have remediated the issue or have public guidance, and their embargo processes are likely separate from CVE publication.

[j16sdiz]

CVE Numbering Authorities (CNA) have lots of control over those.

[derefr]

I'm the opposite — and I think this might be the "4D chess"† interpretation of this move as well.

In peacetime, I think everyone is generally alright with something centralized like the CVE database.

But in what increasingly seems like the lead-up to wartime... I'm hesitant to trust a CVE database operated or funded unilaterally by a single government — or even multilaterally, if the governments are all ones that all would end up on the same side of a hot war.

(Why? Strategic censorship of reports while the DB's patron takes advantage of the exploit, for one. Such a database becoming a high-priority cyberwar target, for another. Strategic wasting of enemy cybersecurity resources with false announcements, for a third.)

IMHO, the ideal form for the organization managing CVE, is one analogous to IANA and its Regional Internet Registries (RIRs).

IANA slices up the keyspace of IPs to assign to RIRs, and arbitrates disputes — but both at such a high level that their work is effectively in a de-facto state of "done until something comes up". The RIRs do all the actual everyday work.

This means that in a hot war that different RIRs end up on opposing sides of, where at least some of the RIRs can no longer trust the ownership of IANA to act in their best interests, the RIRs can just ignore IANA for a while, and keep on doing their own thing (managing allocations from their previously-agreed parts of the IP keyspace), and everything will still work.

And RIRs that control parts of IP space contended over by opposed states? They can just be split up, under obvious rules (every current allocation goes to the sub-RIR associated with the state that controls the gov/mil/corp/org entity currently holding that allocation.)

That's not the case with the CVE database under its current ownership. There's no established way to namespace it, no obvious way to split it up and keep it all working.

And I think that this problem would be obvious to the DoD. Which is precisely why paying to host a single-source-of-truth CVE database loses its lustre when that same DoD is aware that such a split might soon have to happen.

---

† I dislike the term "4D chess", because it implies one chess master who's really good at predicting non-obvious outcomes — rather than an entire military-industrial-complex acting as "see something, say something" inputs to an intelligence apparatus that does a lot of hard work and simulation analyzing potential outcomes, to produce easily-digested suggestions and action items. There just needs to be one guy in the Pentagon / the military / wherever, who realized this and sent a (classified MILNET) email about it.

[transpute]

> That's not the case with the CVE database under its current ownership. There's no established way to namespace it, no obvious way to split it up and keep it all working.

Work on supply chain security has lead to the introduction of standardized SBOMs, as an artifact required by some large customers to accompany software binaries. It should be possible to associate each software binary CVE with a vendor SBOM and organization country code. Large multinationals might have geo-specific binaries to confirm with regional regulations like the EU CRA.

[cortesoft]

You aren’t worried about the conflict of interest with a government run system, given the desire of governments to be able to intercept all communication?

[MiguelX413]

No, particularly because CVE has no communications functionality.

[cortesoft]

My worry would be that a government might want to hide a particular vulnerability it has found that enables it to break into a system.

[jmull]

> The long-term goal seems to be...

Where do you get that from?

I've seen no sign of long-term goals, much less any mechanisms being put in place for follow-through on those goals.

It seems like people keep making the mistake of believing there's a detailed plan, while all evidence tells us there isn't. I guess it's the normal human tendency to see order in the chaos.

[tlogan]

Project 2025 lays out a clear vision for the privatization and decentralization of federal functions. It’s not subtle—it explicitly calls for it.

Separate from whether we support this or not:

Trump is doing—or promising to do—exactly what he said he would. We can disagree with the policies, but it’s not accurate to say he or his team are directionless or incompetent. They have a coherent (if controversial) agenda.

So rather than dismissing them as clueless or idiots, it’s more productive to debate this:

- Why is outsourcing CVE program to private consortia a bad idea?

- Could a model exist where a private consortium is supported by federal grants, but maintains accountability and public interest safeguards?

[chowchowchow]

Actually Trump repeatedly said he didn't know about project 2025. He's so scattered in his campaigning that it's possible to pretty much justify any action as "what he said he would do." But saying executing project 2025 is exactly what he SAID he would do defies all reality. It may be what intelligent observers expected him to do but it is not what he said.

Edit: good lord people I’m not defending Trump I’m saying he lies about everything including that he lied and said he wasn’t going to do project 2025. Read the post I’m responding to!

[ranger_danger]

Someone is clearly pushing that agenda whether it's (knowingly) Trump or not.

Project 2025 is 42% complete, 3 months in.

https://www.project2025.observer/

[SlightlyLeftPad]

People have got to learn how to read between the lines with Trump and those around him. When the things he says he is going to do and the things he’s actually doing are exactly the things laid out in project 2025, the connection to the project is immediately clear and establishes that he was lying about knowing nothing about it.

[chowchowchow]

Obviously

[pstuart]

> Actually Trump repeatedly said he didn't know about project 2025

  * He said he'd end the war in a day.
  * He said he had a better health care plan.
  * He said he'd drop the price of eggs.
  * ...
  * He said lots of things that were not true.

[chowchowchow]

That’s exactly right and what I said. The guy above said Trump is doing what he said he would. He isn’t.

[sigzero]

Which doesn't mean Trump saying he has nothing to do with Project 2025 a lie.

[pstuart]

I've never been in the room, but it's a safe assumption that he was lying.

[tlogan]

> Actually Trump repeatedly said he didn't know about project 2025.

His exact quote is: "I have nothing to do with Project 2025." Meaning sure - he did not write it. I doubt he read it - it is 900+ pages long document :-)

Anyway, he might fooled some people but I doubt - my understanding was that he is going to follow Project 2025. It is good time to rewatch this: https://www.youtube.com/watch?v=gYwqpx6lp_s

[chowchowchow]

I am certain you can find more than one quote of his relating to Project 2025. In any event this also doesn't disagree with what I said more broadly, which is, he was not forthright about his plan to do exactly what Project 2025 said, so you can't say he's doing exactly what he said. But anyone with a hint of insight could understand that was his plan.

I'm responding to someone who said Trump is doing what he SAID he would do, and that is all I intended to correct.

[jmull]

Trump said he was not going to follow the project 2025 plan.

So you're making two immediately contradictory claims that Trump is doing what he said he would, and is following the project 2025 plan. That's not coherent.

You're suggesting a privatization plan exists, and want to debate its merits, but I see no sign such a plan is being adopted. E.g. who is enacting the plan? When is the comment period? Who do we send our feedback to? You may have a plan, but what does that have to do with the people in charge? If it's not their plan it doesn't matter one bit. Despite your assurances, I see no sign they aren't acting without a plan (or, as you put, as clueless idiots).

[acdha]

> Trump said he was not going to follow the project 2025 plan.

He didn’t convincingly reject it, though, and his distancing was only convincing to people who were looking for an excuse to ignore it with the way he pretended not to know the people behind it when 31 of the 38 authors were members of his first administration, his campaign was in close contact throughout, and he certainly didn’t put much effort into rejecting specific policy proposals.

I think this is a case where different audiences got different messages. The hardcore base knew he was lying since it had all of their red meat issues, informed Democrats knew he was lying because actions speak louder than vague denials (e.g. if you don’t agree with someone’s policies, you wouldn’t let them have a role in your campaign and you’d be able to say what you’d do differently), but he gave the media and casual voters just enough to make it harder for Biden/Harris to land attacks which we now know were fully accurate.

[jmull]

Yes, he was obviously lying, as he has done about so many things.

Well, it's obvious to some us, anyway.

[nrdvana]

In most of the video clips I saw, he was saying "I don't know anything about that", which could be entirely true. Often I see hints that he's attempting to play the Aes Sedai game of "speak no word that is untrue" but he's too dumb to do it well. Anyway, as an extension, both comments can be true, that Trump himself has no plan and is an idiot, but that his administration is enacting Project 2025.

[danaris]

There seems to be a lot of hay being made over whether Trump is

- deliberately following Project 2025 to the letter, or

- completely ignorant of Project 2025 and not doing what it says

...when it seems very likely that the truth is somewhere between.

Trump himself is doing things the way he always does: in a mixture of long-standing bigotry and idiocy, his own whims, and whatever someone said to him 10 minutes ago (or he saw on Fox & Friends, or whatever).

His administration is heavily populated with people who either helped write Project 2025 or are close with those who did.

DOGE is only loosely connected with the latter, and it's DOGE that has been instrumental in wrecking federal agencies—and while that destruction largely aligns with Project 2025's goals, it's not clear to me that they're specifically following its playbook. Rather, I think they're doing things their own way with high-level guidance from the people who care about Project 2025. It's very possible that their goals could end up conflicting, depending on what Musk wants.

Edit to add: It's also true that Trump said he knew nothing about Project 2025. Whether or not this is true, he said it during the campaign, when Project 2025 had just been widely reported on as a negative thing. I don't think we can read much into Trump's campaign statements intended to publicly distance himself from something he sees as unpopular.

[absker]

MITRE is a non-profit company that operates Federally Funded Research and Development Centers (FFRDCs), which are owned and funded by the federal government and contracted out to companies like MITRE to operate them.

While MITRE does have contracts with DoD (and many other agencies across the federal government as part of the FFRDCs they operate), they are not the same as a stereotypical DoD contractor as their non-profit status motivates them to work in the public interest.

[jhelps]

I can see how govt funding was needed to help bootstrap the CVE program before people saw the value of it.

But now that CVEs form the basis of a very lucrative ~$16b/year industry[0], wouldn't it make sense to let those companies take over?

Privatizing the Internet enabled much more innovation than if it had stayed govt-funded.

0: https://www.grandviewresearch.com/industry-analysis/security...

[ottercan]

MITRE is not a DoD contractor. They are a not-for-profit institution committed to the public interest that operates six Federally Funded Research and Development Centers.

[butterlover]

It’s probably more accurate to describe mitre as a publicly funded non profit operating for public benefit like the post office or PBS.

It’s a stretch to describe it as an arm of the government.

[numbsafari]

... and that industry led consortium will have a board all paid princely sums, and an executive leadership team that is conflicted to the hilt and paid kingly sums, and they will charge exorbitant rents in order to keep the lighthouse lit.

There's flaws with every approach, but I much prefer the approach where this sort of thing is treated as a public good, rather than as yet another soon-to-be walled garden.

[bunderbunder]

I keep thinking of that time Wisconsin's state government privatized a bunch of IT stuff in the interest of "government efficiency", and the cost taxpayers paid for those specific functions increased by several hundred percent while quality of service went down.

At that same time, though, I worked for a contractor that I do believe saved states money compared to doing things in-house. The work we did really required specialists. But no one state had enough of the work to keep one busy all year. So sharing a pool of people to do the work among many states meant there was room for both saving the states money and allowing some profit for the company.

The idea that you can just blanket assume that private industry is inherently more efficient than public works really needs to die. There doesn't seem to be any more evidence to support it than there is to support the idea that it's inherently less efficient. Life just isn't that simple. It's all case by case.

[dimitrios1]

For every example of privatization going wrong, there's least one example (if not two) of it going right.

But serious question -- what is the difference these days anyways? Our entire government is effectively privatized anyways from the local level up to the federal. We rely on contractors for almost everything that matters. We just maintain this facade that they are not privatized.

[sollewitt]

I’ve never seen one that worked long term. The basic premise is “what was done for $X dollars with no profit motive can be done for <$X dollars with profit motive doesn’t hold up - you make something private, it wants to make more profit.

Just for the most ready to hand example for me, PG&E in SF vs public electricity utilities on the peninsula - the privatized electricity costs twice as much per kWh - and of course it does because the PG&E CEO needs to make $17M from somewhere, the share price needs to go up etc. the rich need to skim from the top, that makes the cost higher.

If you have an essential industry the cynical play is to privatize to save cost, then do a bad job and then effectively make your losses public through bail-outs while still making profit.

[derektank]

>The basic premise is “what was done for $X dollars with no profit motive can be done for <$X dollars with profit motive doesn’t hold up - you make something private, it wants to make more profit.

No, the basic premise of privatization is that, assuming the product or service has multiple potential customers, private industry can operate at scale which, alongside competition from other companies, drives down the price and the government can purchase it "off the shelf" at the prevailing commercial rate. Those assumptions don't always hold, utilities being a great example of this, but it's not inherently blind or naive to consider privatizing some components of government function. We don't expect the government to operate its own vehicle assembly lines even if the government needs cars; they just go buy one from Ford or GM.

[bunderbunder]

I'd add that that, for this calculus to work out in a straightforward way, a competitive market is necessary but not sufficient. You also need other factors that help drive economies of scale, such as the thing in question being a manufactured good that can be sold to many people, or the production requiring expensive and specialized equipment that can be used for more than just that one thing.

I'm no expert, but I'd guess that these factors are more likely to line up in manufacturing and construction, or even R&D, than they are for things like maintenance of specialized IT systems or administration of services.

[Sohcahtoa82]

> The basic premise is “what was done for $X dollars with no profit motive can be done for <$X dollars with profit motive" doesn’t hold up - you make something private, it wants to make more profit.

The government often acts like it has infinite money. Sure, they'll make a lot of noise about the national debt, but it's all just about getting votes.

I expect privatization to be a way for a politician to stuff their pockets. They'll either buy their stock before the large government contract is announced, or the corporation will kick some money back in the form of campaign contributions, or find some way to just give cash directly.

Nobody ever gets charged with insider trading because everyone that would be involved in that is in on it as well.

Or maybe I'm just cynical.

[taeric]

Would love to see a list on both sides. It is easy to win an argument when you get to gesture at evidence without being specific.

For your question, the difference is if a government spend succeeds, it should lead to more things that the people can do. If a private company succeeds, it largely funds just the company.

And, ideally, it should be fine that both the government/nation gets benefits while rewarding successful contractors. Nothing wrong with that.

This is hilariously viewable with Musk. People love to point out how he risked so much on Tesla. Ignoring all of the capital that the government risked in the same venture.

[dimitrios1]

I am not here to argue for a "side", to win an argument, nor provide a thesis defense with citation and references -- this is an answer you can easily get from ChatGPT. There's quite literally hundreds.

To add a wrench to both "sides" some of the most effective have been state/federal-owned /state/federal controlled corporations -- or generally, arrangements where you still maintain capitalistic economic incentives and drivers, but have government oversight and (effective) regulation. I think everyone would that is good, but sometimes it takes different forms.

[taeric]

Then let me restate, this is an area where you can easily wade along with largely inaccurate information quite easily. I also wasn't necessarily trying to bait you to give a list, though it would be interesting to know which ones you have in mind, specifically. Far too many of us don't have any evidence, we have been duped by trusting that others do.

I took your specific claim to be privatization of government functions having many success stories. I'm still curious which ones you have in mind, but would more largely be interested in studies on this. Nothing wrong with knowing the wrenches in there.

Beside that, though, I was trying to engage your question. The difference is if growth is privatized into a few, or if it is more broadly available. With a large agreement from me that a mixture of both -- your wrench, effectively -- is fine. Good even.

[sollewitt]

Answer for your serious question: hiring contractors isn’t “privatized” - that’s outsourcing. The thing you’re saving on is the ongoing cost of having permanent staff.

The difference is the government and public entities like mayoral offices or parliaments get to decide how the entity (doing the contracting) is run and approve costs, and the entity is under no obligation to return a profit.

[agloe_dreams]

> Having the CVE program operated by a company funded by the U.S. military

...Yep, we're done as a democracy. Pack it up, boys.

Edit: I know it is doom and gloom but the CVE program could easily delay information and leave holes on purpose.