The future of the Common Vulnerability and Exposures (CVE) program, a critical global system for identifying and cataloging software flaws, remains uncertain following a near-shutdown and ongoing funding challenges. The program narrowly averted a complete halt on April 16 with an eleventh-hour contract extension, but concerns persist about its long-term stability and governance. This situation has spurred the development of alternative systems and prompted discussions about a reimagined CVE.
The CVE program, managed by MITRE and historically supported by U.S. government funding, is essential for cybersecurity defenders to track, disclose, and remediate software vulnerabilities. A disruption to this system could significantly impair information sharing, delay incident response, and potentially offer attackers a tactical advantage. The program’s future governance is seen as crucial for maintaining its neutrality and effectiveness in a rapidly evolving cybersecurity landscape.
The CVE Program’s Funding Crisis and Emerging Alternatives
The recent funding scare for the CVE program is not an isolated incident. In early 2024, the National Vulnerability Database (NVD), maintained by NIST, experienced its own funding crisis, leading to a halt in providing crucial metadata needed by organizations to address vulnerabilities. This shortage has yet to be fully resolved, contributing to widespread anxiety among cybersecurity professionals.
These funding uncertainties have created an opening for various alternative systems and governance models. The European Union Vulnerability Database (EUVD), established by the European Union Agency for Cybersecurity (ENISA), and the Global CVE Allocation System (GCVE) from CIRCL.eu are among the new initiatives. Additionally, a U.S.-based nonprofit, the CVE Foundation, has been formed to support the program’s continuity.
These alternatives are attractive to many because they are not solely reliant on U.S. government funding. Experts suggest that the current operational model of the CVE program may not be sustainable for future needs, signaling a need for significant reform.
CISA’s Vision for a Revitalized CVE Program
Amidst the growing concerns, the Cybersecurity and Infrastructure Security Agency (CISA) has proposed its own vision for a modernized CVE program. Published on September 10, CISA’s plan emphasizes broadening participation beyond the current spectrum.
CISA intends to incorporate a wider array of stakeholders, including international governments, academia, vulnerability tool providers, security researchers, and the open-source community. The agency also aims to explore diversified funding mechanisms and enhance the program’s automation capabilities to ensure more rapid implementation of updates.
However, CISA’s ability to implement these ambitious changes is complicated by its own internal challenges, including significant funding cuts and staff layoffs. Furthermore, there are political headwinds, with some influential figures expressing skepticism about CISA’s role in governing the CVE program.
These factors have led some vulnerability experts to advocate for removing the CVE program from direct U.S. government control, favoring models with more private sector involvement. Meanwhile, others believe the U.S. government should maintain a vital role in funding and supporting the program.
Considering a Global Vulnerability Catalog
Beyond CISA’s proposals, think tanks and policy groups are exploring other avenues, notably a blueprint for a Global Vulnerability Catalog (GVC) proposed by the Institute for Security and Technology (IST). This model envisions a more globalized approach to vulnerability naming, building upon the existing CVE structure but with expanded governance and diverse funding streams.
The GVC concept emphasizes the critical importance of diverse funding from various governments, industry, and philanthropic organizations. However, proponents acknowledge that the greatest risk to such a global initiative would be fragmentation, particularly if governments do not provide strong buy-in and consistent participation.
The Role of the CVE Foundation
The CVE Foundation presents another prominent alternative, advocating for a transition away from the current CISA-MITRE operational model. The foundation’s treasurer suggests that the core CVE system, being a namespace of unique identifiers, could be relatively easily transferred to a non-profit structure.
The foundation’s model seeks government participation through financial contributions rather than direct governance. The foundation is reportedly close to securing significant backing from national governments, regional bodies, and private sector entities, with announcements expected in the coming weeks.
Time is of the Essence for the CVE Program
With the current 11-month extension set to expire on March 6, 2026, time is running out to establish a stable and sustainable future for the CVE program. CISA faces pressure to act decisively to prevent another funding crisis, a task made more difficult by its current internal disarray.
Alternatively, competing models like the GVC or the CVE Foundation may need to accelerate their plans to ensure continuity. Despite the potential for disruption, some experts suggest that the cybersecurity ecosystem is resilient enough to adapt, with third parties likely to step in if U.S. government support falters due to the open-source nature of much of the CVE framework.