Home 零对冲(ZeroHedge)每日HackerNews

(评论)
(comments)

原始链接: https://news.ycombinator.com/item?id=43700258

Hacker News 正在讨论据 theregister.com 报道的美国政府突然停止资助 CVE 计划一事。由 NIST 维护的 NVD(国家漏洞数据库),作为关键的网络安全基础设施组件,由于软件漏洞数量增加和机构间支持的变化,面临着越来越大的积压问题。NIST 正在考虑成立一个由行业、政府和利益相关者组成的联盟来改进 NVD。 Yocto 项目表达了对其漏洞处理影响的担忧,指出其依赖 NVD 数据来及时解决问题。评论者们就削减资金的理由展开了辩论,一些人建议私有化或志愿者参与。一位用户认为,CVE 计划(本质上是一个整数注册表)可以由 GitHub 上的志愿者管理。其他人则质疑基于志愿者的解决方案的可行性和管理问题,指出目前缺乏志愿者参与,并且 CNA(认证漏洞分析机构) 已经承担了大量的工作。文章还提供了 Hacker News 上相关讨论的链接。

相关文章
  • 美国突然停止资助CVE项目 2025-04-16
  • (评论) 2025-04-07
  • (评论) 2025-03-20
  • (评论) 2025-04-06
  • (评论) 2025-04-15
    • 原文
    Hacker News new | past | comments | ask | show | jobs | submit login
    		US abruptly turns off funding for CVE program (theregister.com)
    44 points by dxs 1 hour ago | hide | past | favorite | 11 comments










    Ongoing for more than a year.

    April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...

      NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
    Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...

    > Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.

    reply



    What has been ongoing for more than a year?

    The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.

    Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!

    reply



    I'm trying to steelman but I really can't think of a non- nefarious justification for this

    reply



    The process seems to be to dismantle anything not nailed down in government.

    Now if you want that to be a thing ... you have to go through Trump & Co and pay your bribe to get it back up.

    reply



    Privatize all teh things?

    reply



    We don’t need to spend tax dollars to increment sequential integers.

    The “CVE program” can be done by a volunteer or two in spare time. It’s not some major operation, it’s just a registry of integers that can live on GitHub.

    reply



    How do you get your volunteers in the first place and manage them so you know it's time to get a new one if the quality of their work is slipping?

    reply



    Yet so far no volunteer has emerged and people who do run CNA are pretty busy with it.

    reply



    I think sneak would volunteer to do it since it is pretty simple according to them.

    reply



    Related:

    https://news.ycombinator.com/item?id=43698956

    reply



    dupe - https://news.ycombinator.com/item?id=43698754

    reply







    Join us for AI Startup School this June 16-17 in San Francisco!


    Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact



    Search:
    联系我们 contact @ memedata.com