> A coalition of CVE Board members launched a new CVE Foundation "to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."
This kind of a consortium needs to explicitly avoid being captured by both the product vendors (who could be incentivised to manipulate the CVE issuance process to support their own remediation timescales), and by security companies (who could be incentivised to obtain a competitive advantage via preferential access to the CVE database).
It isn't impossible for a commercially-funded organisation to avoid this kind of capture, but it isn't easy either. My mind immediately jumps to the relationship between the Mozilla Foundation and Google.
CNAs [1] are assigned blocks of CVEs and then assign from within that block, but the system only works if there is overall administration of the CVE Program [2].
My concern is that a capture of the administration would become a capture of the entire programme. Looking at the structure, it seems possible that CISA are in a position to prevent any such capture but, given some of the recent positions taken by the US government, we'll need to wait and see how that plays out.
yes, but it's a hierarchy. If you disagreed with their judgement you could always go up the chain, and MITRE can take the privilege away again if they think a vendor is misusing it.
The way their letter is worded it seems that they have a rainy day fund constituted to ride out the stormy next few week and I'm fairly certain they'll come back with more details as to how they'll be acquiring funding from now on in the next few days. Maybe paid access to an API, maybe donations from large companies that use the system, maybe something else ::shrug::
Hopefully a project as important as this doesn't just dissapear completely because of government pressure.
This smells like a quick attempt to enable phishing for vulnerabilities, and not a legit way to make progress. The comment is from a person that runs a security startup and the site is a google site that people can report to google as a scam. (Edit: downvote as you like it— perhaps my language was too harsh to help make the point clear. It is interesting how easy non-sec people fall for names and quotes and authority.. building trust does not come overnight, in fact it is never fully there, and infosec experts would not fall for such supply chain redirections with questionable future. Hopefully we will not have to test this idea soon, though some level of reliability and long-term automation would be welcome. We need technical, generally agreed upon systems, not a “foundation”).
It’s also easy to use Pi-hole with NextDNS as the upstream server using cloudflared as the DNS-over-HTTPS tool[1] to connect to NextDNS in a secure manner
3rd doses are coming, and seem to give a good and needed additional boost to immunity (this is true for many other vaccines as well). 2 doses won't be "fully vaccinated" after one more year.
I'm experiencing the same issue. I disabled Pi-hole and any content blockers on my device and the network. Still seeing the issue on mobile and desktop. For me it's while ordering through Amazon's Whole Food 2-hour delivery service. Haven't tried Amazon.com checkout.
While I'm not saying this might be true for every book out there, but I completed most of my bachelor's and my master's engineering degree by buying low priced edition from India and SE Asia and I used to verify and compare with US editions and never once did I find any major differences in context or additional problem sets.
The quality of paper wasn't as good, but the price difference was huge and well worth the effort for me to be able to afford them.
> https://www.thecvefoundation.org
https://mastodon.social/@serghei/114346660986059236