Update 04/16 11:10 am EST: CISA has extended MITRE’s funding for 11 months to avoid any disruption to the critical CVE program. This move came just in time, as funding was set to expire on April 16, which could have caused major issues across the cybersecurity industry, reports Bleeping Computer.
The original reporting as of 04/16 05:05 am EST follows…
The US government recently started cracking down on funding, and one such move could have a telling effect on Android security. The Trump administration has stopped funding the Common Vulnerabilities and Exposures (CVE) database, which keeps our digital lives more secure. Starting April 16, the government will stop paying to keep the system running.
The CVE database helps companies identify common exploits, tracking various flaws across platforms, including the Android OS. However, without funding, the CVE database can not continue its operation, which may lead to delayed Android security patches.
The US government halts funding for the CVE database
Google releases monthly Android Security Bulletins detailing the security vulnerabilities from CVE. As the US government has cut funding for the CVE database, it now needs a new benefactor. Unless one is found, Android security updates may not be as fast as they used to be. Companies will have to develop their own security database, which may cause less transparency.
“On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire,” Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, told The Register.
The US government has already rolled back the tariffs on consumer electronics such as smartphones and laptops. So, it is expected that the government might roll back its decision and continue funding for the CVE database if there is enough backlash. Another possibility is that Google and a few other companies may come together and replace CVE as well.
For the uninitiated, the CVE system is a large database that consists of known security flaws in software. Each reported flaw gets a unique CVE ID, which security researchers use to track and fix the problems. If there is no standard system to identify the problems, companies have to maintain their own records. Android phone manufacturers developing their own internal tracking systems may cause delays. This will make security reports and their addressing very inconsistent — some vulnerabilities may even remain unsolved.
