A Fresh Direction for CVE Program: Urgent Ownership Needed
The Common Vulnerabilities and Exposures (CVE) Program, established in 1999 and under the management of Mitre, faced a significant funding crisis this week that threatened its operational continuity. As the funding from the U.S. Department of Homeland Security appeared poised to lapse, industry experts voiced concerns regarding the program’s critical role in facilitating the sharing of vulnerability information that underpins various security measures.
Fortunately, a last-minute intervention from the Cybersecurity and Infrastructure Security Agency (CISA) extended the program’s funding for the next eleven months. Tod Beardsley, Vice President of Security Research at runZero and a member of the CVE Program board, highlighted the importance of this reprieve, emphasizing that it mitigates immediate risks. Meanwhile, CISA confirmed that Mitre would maintain its role in operating the CVE Program until early March 2026.
Despite the temporary extension, industry leaders emphasize the necessity of establishing a more permanent governance structure outside of U.S. control. Chester Wisniewski, Director of Global Field CTO Program at Sophos, articulated that a transition away from a U.S.-funded model could benefit the overall mission of the CVE initiative. He noted that as the nature of cybersecurity evolves, so too must the frameworks and entities that manage vulnerability identification.
As demand for CVE assignments has surged—evident in the increase from 28,818 CVEs in 2023 to 40,009 in 2024—the program has struggled to keep pace, raising concerns about its future efficacy. Experts have suggested that creating an independent entity, such as a non-profit organization, might be the most viable method to ensure sustained and impartial governance of the CVE framework.
The recent establishment of the CVE Foundation by some board members, including long-serving member Kent Landfield, reflects a proactive attempt to reform the program’s financial model. This foundation aims to sustain the quality and availability of CVE data, essential for global defenders. Its focus on neutrality over national interests aims to create a more robust and stable environment for vulnerability identification.
Simultaneously, international efforts are underway to supplement or innovate on the CVE infrastructure. The European Union’s cybersecurity agency, ENISA, has launched the European Vulnerability Database (EUVD), while the Global CVE Allocation System (GCVE) aims to serve as an adjunct to the existing CVE Program. These initiatives underscore the imperative for a diverse, globally oriented approach to vulnerability management.
The reliance on CVEs from various stakeholders, including software vendors and national computer emergency response teams (CERTs), highlights the collaborative nature needed for effective vulnerability identification. This distributed model is critical as it fosters collective accountability among organizations while allowing flexibility in addressing varying security scenarios.
As the cybersecurity landscape grows increasingly complex, the call for a restructured CVE program is urgent. Transitioning to a new management framework could not only enhance operational consistency but also ensure that the CVE remains a vital resource in navigating security risks. Experts agree that while CVEs may not capture the entirety of network security challenges, they are crucial for a comprehensive security strategy.
With approximately ten months remaining to implement these necessary changes, the industry stands at a pivotal moment. For business owners and security professionals alike, understanding the evolving dynamics of the CVE Program is essential for maintaining robust cybersecurity defenses in an increasingly perilous digital environment.
