back to article Amid CVE funding fumble, 'we were mushrooms, kept in the dark,' says board member

Kent Landfield, a founding member of the Common Vulnerabilities and Exposures (CVE) program and member of the board, learned through social media that the system he helped create was just hours away from losing funding. "Another board member gave me a call and said: 'What the heck?'" Landfield recalled in an interview with The …

  1. Probie

    Live by the rule

    So basically CISA pulled the trigger and said, we are the money so here is the decision.

    The very principle that was championed should be put into effect. Like the orange one said - "you gotta pay your bills"

    So if CISA are not chipping in, why are they still involved?

    1. Wang Cores

      Re: Live by the rule

      Because the mighty Carotine Quisling is here to do what Yeltsin did to immediate post-Soviet Russia: fling open the gates.

  2. Anonymous Coward
    Anonymous Coward

    Too much industry in one country...

    ...there are many sayings about eggs and baskets, but if you put everything into just one place then you are at the mercy of that one Government.

    Not that people will learn from this. They're still paying the Oracle tax, the VMware tax, the Unity tax, etc...

  3. Anonymous Coward
    Anonymous Coward

    Move it to Europe

    This is a prime example of a function that could, and should, move to Europe so it can continue in freedom and stability.

    1. abend0c4 Silver badge

      Re: Move it to Europe

      The problem wiuld be maintaining continuity - the secretariat is currently American and the vast majority of the board members (whose time is presumably contributed by their mostly US employers) are from the US too. It's not a straightforward lift and shift.

      1. that one in the corner Silver badge

        Re: Move it to Europe

        A move to Europe does not mean the whole thing has to be carried across the water in one go, totally cutting off any involvement from individuals in the US.

        > the secretariat is currently American and the vast majority of the board members (whose time is presumably contributed by their mostly US employers) are from the US too.

        The practical, day-to-day result on the first day of the "move" for all of the current secretariat and board members would be little more than a new email address and a new letterhead in their Word template, giving the address of the registered address in some lawyer's office. Further down the ladder, the IT staff will be migrating to duplicate infrastructure in foreign lands, but aren't modern-day IT people used to doing that sort of stuff anyway? No great shakes.

        A more cosmopolitan mix of personnel can be fostered over time. There are marvellous new technologies that allow people across the world to communicate; during a time when the majority of participants are in a particular timezone, others can be accomodating to their needs

        If your objections are based on anything other than physical limitations of running an organisation over a long distance - e.g. if you are suggesting that any of the people/companies may object to working with a non-US based new home for the CVEs then, well, if that was the case, wouldn't that be an example of precisely why it is a good idea to make CVEs a properly international org in the first place?

        1. abend0c4 Silver badge

          Re: Move it to Europe

          In principle. However, having been involved in some vaguely comparable projects in the past the practical - or, rather, political - problem would be getting access to European funds on that basis. You'd probably need a transitional source of funding, probably from the private sector. Which wouldn't hurt in the longer run anyway.

        2. Doctor Syntax Silver badge

          Re: Move it to Europe

          Risc-V would be a suitable example. The RISC-V Foundation moved to Europe (Switzerland in their case) because of fears of being subject to US regulations.

          1. Doctor Syntax Silver badge
            Happy

            Re: Move it to Europe

            On second thoughts, staying in Washington state puts them closer to the source of many CVEs so maybe it's more convenient.

          2. Anonymous Coward
            Anonymous Coward

            Re: Move it to Europe

            Yep, and DNS service Quad9 moving from the US to Europe is another example.

    2. Pascal Monett Silver badge

      Re: Move it to Europe

      Move is not the correct word.

      It should be replicated to Europe, just like DNS databases are replicated across the world.

      Make continental copies, with multiple governments and/or organizations pledging to ensure funding of the operations.

      If one continent abandons the project, the replicas will be there to ensure continuity.

      This project is very much an essential resource for computing at every scale.

      Once again, despite himself, Trump is doing exactly what is needed to ensure that dependance on a single authority is banished - especially when that authority is held by an orange baboon flinging his shit at random walls.

      1. Grindslow_knoll

        Re: Move it to Europe

        CERN has plenty of compute and storage to spare, they host Zenodo (free to users) out of that reserve, so there's plenty of precedent for scalable, public funded IT programs for societal good. I can't imagine CVE being more taxing (perhaps I'm wrong) than Zenodo.

        Horizon has funding for programs like this as well, and with the link to sovereignty a mirror/fork makes total sense.

      2. DoctorPaul Bronze badge

        Re: Move it to Europe

        Time to benefit from the law of unintended consequences.

    3. Anonymous Coward
      Anonymous Coward

      It is a matter of trust Re: Move it to Europe

      "This is a prime example of a function that could, and should, move to Europe so it can continue in freedom and stability."

      The basic problem is that there is no trust in the US left anymore. They did it once, they will do it another time.

      It is not just this administration. Trust in US rule of law is gone. And way too many Americans have shown to hate non-Americans. Whatever happens to the current administration and its members, these MAGA isolationists will vote new ones hating non-Americans in at the first opportunity.

      Currently, European countries seem to be most trusted, be it Switzerland or the EU.

      Maybe some other country is trustworthy enough, eg, Canada, Singapore or Japan. But the US, China, India, or Russia seem sadly to be be out of the question.

      The general feeling seems to be to create an international consortium would be best. The EU has a good track record of allowing international citizens into its funding programs. That might help.

  4. John Smith 19 Gold badge
    Unhappy

    You can tell if something is needed by how fast people jump to replace it.

    I think it's fair to say that CVE (or something very like it) is needed badly.

    When people talk about "resilience" they also need to consider organisational resilience, including the possibility that the whole country could be borked.

    Which is exactly what the FOCF and his gang of criminal fools is doing to the US.

    1. Eclectic Man Silver badge
      Unhappy

      Re: You can tell if something is needed by how fast people jump to replace it.

      The thing I really do not understand is that the current people running the USA clearly still want their own computers to continue to work. A unified CVE is obviously essential to that, yet there is no lead from the White House or top US advisors to say 'actually we really do need to do this, even though it would be difficult or impossible to monetise'.

      I cannot help feeling that the problem with MITRE running CVE is that it is a 'not for profit' organisation doing an essential global pubic service, which is not, and cannot ever be, charged for. Of course if you really were looking for organisations that should fund it, I would humbly suggest MicroSoft, IBM, Apple, Oracle, Hewlett-Packard, Adobe, Google, Cisco etc. They are, after all, responsible for a large number of the bugs listed.

  5. Anonymous Coward
    Anonymous Coward

    Move it ALL out of the US - this was never a good idea to start with

    Wasn't the original idea of the Internet to provide communication resilience? Why on Earth was that single point of failure called the not very United States left in the architecture?

    It's not like we haven't been there before with the DNS roots, no?

    This is the moment to ensure the Net is not being used as blackmail, because if I read the trend of the orange cheeto and his tech bro mates correctly that is very likely going to happen next.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like