this post was submitted on 16 Apr 2025
794 points (99.6% liked)
Technology
69109 readers
3149 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm honestly not totally sure what to think about this one, though I recognise that it's a big shift/likely a negative overall result.
Reason I'm humming and hawing, is that there are lots of expensive cybersecurity type 'things' that rely on the CVE system, without explicitly paying in to that system / supporting it directly, from what I recall / have seen. Take someone like Tenable security, who sell vulnerability scanners that extensively use/integrate with the CVE/NVD databases.... companies pay Tenable huge amounts of money for those products. Has Tenable been paying anything into the 'shared' public resource pool? How about all those 'audit' companies, who charge like 10-30k per audit for doing 'vulnerability / penetration tests'.
IT Security has been an expensive/profitable area for a long time, while also relying on generally public/shared resources to facilitate a lot of the work. Maybe an 'industry' funded consortium is the more appropriate way to go.
The CVE system protects everyone that uses computers. It is a public service that forms the core of cybersecurity in the US and many other places. It does not cost the database any more money if people use it to provide services to clients.
Letting a private corporation take it over and put it behind a paywall now means that security, like so many other things, will only be available to people with money. It will make software and hardware more expensive by adding yet another license fee or subscription if you want software that gets security updates.
In addition, a closed database is just less useful. This system works because when one person notifies the system of an exploit then every other person now knows. That kind of system is much higher quality if you have more people that are able to access it.
An industry being created and earning money by providing cybersecurity services shows how useful such a system is for everyone. There are good paying jobs that depend on this data being freely available. New startups only need to provide service, they don't need to raise the funds to buy into the security database because it is a public service. They also pay taxes (a significant amount if they're charging $30,000 per audit), more than enough profit for the government to operate a database.