The Common Vulnerabilities and Exposures (CVE) Program, an essential resource for identifying software vulnerabilities, faced a critical funding challenge earlier this week, raising alarms within the cybersecurity community. Established in 1999 and managed by the federal contractor Mitre, the program’s funding from the U.S. Department of Homeland Security was set to expire, leading to fears of disruption in vital security operations reliant on CVE data. Experts noted that effective bug coordination, national incident response, and various critical security tools could be jeopardized if the program ceased to function.
Fortunately, the Cybersecurity and Infrastructure Security Agency (CISA), a part of DHS, intervened at the last moment by exercising a contract option that secures the program’s funding for the next 11 months. Tod Beardsley, a CVE Program board member and VP of security research at runZero, expressed relief that immediate crisis was avoided, stating, “we’re in no immediate danger, which is great.” This temporary funding arrangement allows Mitre to continue managing the CVE Program until early March 2026.
Nevertheless, this situation highlights an underlying need for a long-term strategy regarding the governance and funding of the CVE Program. Experts suggest that transitioning to a more globally oriented, non-profit model may be the optimal solution, particularly as the number of assigned CVEs surged from 28,818 in 2023 to 40,009 in 2024. Chester Wisniewski, director of global field CTO program at Sophos, indicated that a shift away from a U.S.-centric management framework could provide numerous benefits for the international community.
A newly formed CVE Foundation, established by key figures from the CVE board, aims to ensure a more distributed funding model for CVEs, enhancing the integrity, availability, and identification of vulnerabilities in a sustainable manner. In tandem with these efforts, other initiatives are emerging, including the EU’s cybersecurity agency ENISA establishing its own vulnerability database, and the introduction of the Global CVE Allocation System.
As discussions unfold about the future of the CVE Program, the industry has a window of approximately 10 months to unite behind a new governance strategy that could restore stability and confidence within the cybersecurity landscape. Collective efforts will be crucial in supporting a program that has become indispensable for IT defenders worldwide as they work to maintain a robust security posture against evolving cyber threats.