Tag: funding

  • Future of CVE Program in Question Amid Funding Concerns

    Future of CVE Program in Question Amid Funding Concerns

    The Common Vulnerabilities and Exposures (CVE) Program, an essential resource for identifying software vulnerabilities, faced a critical funding challenge earlier this week, raising alarms within the cybersecurity community. Established in 1999 and managed by the federal contractor Mitre, the program’s funding from the U.S. Department of Homeland Security was set to expire, leading to fears of disruption in vital security operations reliant on CVE data. Experts noted that effective bug coordination, national incident response, and various critical security tools could be jeopardized if the program ceased to function.

    Fortunately, the Cybersecurity and Infrastructure Security Agency (CISA), a part of DHS, intervened at the last moment by exercising a contract option that secures the program’s funding for the next 11 months. Tod Beardsley, a CVE Program board member and VP of security research at runZero, expressed relief that immediate crisis was avoided, stating, “we’re in no immediate danger, which is great.” This temporary funding arrangement allows Mitre to continue managing the CVE Program until early March 2026.

    Nevertheless, this situation highlights an underlying need for a long-term strategy regarding the governance and funding of the CVE Program. Experts suggest that transitioning to a more globally oriented, non-profit model may be the optimal solution, particularly as the number of assigned CVEs surged from 28,818 in 2023 to 40,009 in 2024. Chester Wisniewski, director of global field CTO program at Sophos, indicated that a shift away from a U.S.-centric management framework could provide numerous benefits for the international community.

    A newly formed CVE Foundation, established by key figures from the CVE board, aims to ensure a more distributed funding model for CVEs, enhancing the integrity, availability, and identification of vulnerabilities in a sustainable manner. In tandem with these efforts, other initiatives are emerging, including the EU’s cybersecurity agency ENISA establishing its own vulnerability database, and the introduction of the Global CVE Allocation System.

    As discussions unfold about the future of the CVE Program, the industry has a window of approximately 10 months to unite behind a new governance strategy that could restore stability and confidence within the cybersecurity landscape. Collective efforts will be crucial in supporting a program that has become indispensable for IT defenders worldwide as they work to maintain a robust security posture against evolving cyber threats.

  • US Government Agrees to Continue Funding CVE Program Amid Concerns

    US Government Agrees to Continue Funding CVE Program Amid Concerns

    In a last-minute decision, the US government has pledged to extend funding for the Common Vulnerabilities and Exposures (CVE) program, which plays a critical role in the global cybersecurity landscape. This agreement comes just hours before the expiration of the previous contract with MITRE, the nonprofit organization responsible for managing the CVE database, which was set to conclude on April 16, 2025.

    The Cybersecurity and Infrastructure Security Agency (CISA) articulated that the CVE program is a vital resource for the cybersecurity community, highlighting its importance in managing and mitigating vulnerabilities. A CISA spokesperson stated, “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” This swift action was designed to reassure stakeholders following MITRE’s announcement that federal funding was at risk.

    Responding to mounting concerns regarding the program’s future, CVE board members have announced the establishment of a new nonprofit foundation dedicated to overseeing the ongoing operations of the CVE initiative. The foundation aims to eliminate the program’s reliance on federal funding, with the goal of ensuring that CVE remains a globally trusted initiative independent of governmental influences. A statement from the oversight body emphasized that this transition is critical for maintaining the integrity of the vulnerability management ecosystem.

    Although funding has been secured for now, uncertainties loom over the CVE program’s governance as discussions about the coordination between the new foundation and MITRE continue. Peter Allor, a CVE board member, noted that the announcement from MITRE regarding the termination of funding was unexpected and had been anticipated by several parties involved. The situation has prompted calls for a restructuring of the program’s funding model to secure its future stability.

    With the complexity of the vulnerability landscape continuing to grow, experts like Bugcrowd founder Casey Ellis voiced concerns that the recent uncertainty could lead to fragmentation in standards, potentially undermining the purpose of the CVE initiative. MITRE expressed gratitude for the support received throughout the duration of this funding crisis, emphasizing its commitment to the nation’s cybersecurity.

    For further details, visit the sources: Homeland Security Funding for CVE, CVE Foundation Statement.