On April 16, less than a month after nonprofit R&D organization MITRE celebrated the 25th anniversary of the Common Vulnerability and Exposures (CVE) effort, the program narrowly escaped a sudden demise when a last-minute, 11-month contract extension averted a shutdown.
That near-miss put vulnerability experts and cybersecurity defenders on edge, most of whom still fear that this essential mechanism for detecting, tracking, and remediating software vulnerabilities could suddenly disappear overnight.
Now, “we’re still in the fragmented, visionary-picking-up-the-pieces phase here after the bomb was dropped in April, and this was the second year in a row, given that there was a bit of a funding crisis on the NVD” in 2024, Brian Fox, co-founder and CTO of Sonatype, told CyberScoop.
In early 2024, funding for a national vulnerability database, or NVD, maintained by the National Institute of Standards and Technology (NIST), dried up, and the organization stopped providing critical metadata for many vulnerabilities that organizations need to fix, an information shortage that has yet to be fully rectified.
At stake is the future reliability and trustworthiness of a system that serves as the backbone for global software security. The CVE program is not just a technical database; it is the world’s linchpin for coordinating how vulnerabilities are tracked, disclosed, and ultimately patched.
Any disruption or uncertainty in the CVE program risks slowing down information sharing among defenders, undermining incident response, and granting attackers the upper hand. Control over the program therefore carries enormous influence — whichever organization is responsible will help set priorities, shape disclosure policies, and determine whether the system remains open, neutral, and effective, or slides into fragmentation, delay and confusion that could put crucial technology at risk.
The growing ranks of CVE alternatives
Not only did the funding scare rattle defenders, it also opened the door for a wave of alternative system providers eager to take advantage of the opportunity. After CVE’s near-death experience, a host of new ideas and methods for tracking security vulnerabilities sprang to life or gained greater prominence.
Among these were the EUVD, or the European Union Vulnerability Database, organized by the European Union Agency for Cybersecurity (ENISA); the GCVE: Global CVE Allocation System, developed by CIRCL.eu; the Computer Incident Response Center in Luxembourg, and the CVE Foundation, a U.S.-based nonprofit formed to support the CVE program.
All these alternatives seem viable to many for the simple reason they are not dependent on the U.S. government as the sole funder.
“We are at a point where what got the CVE program here is not going to get us to the next step,” Jay Jacobs, founder of Empirical Security and chief data scientist emeritus and founder at Cyentia Institute, told CyberScoop. “It seems pretty clear that’s the case.”
To that end, at least two other organizations have also thrown out new concepts for how CVE should be governed, and one of them is CISA itself.
CISA’s vision for a new CVE program
Amid mounting criticism and uncertainty, CISA has also pushed for a revamped CVE program. On Sept. 10, CISA published its “vision” for a new CVE program that contemplates several fundamental changes.
One of these changes opens the CVE program to a broader array of participants than the current situation allows. “CISA intends to leverage its partnerships to ensure better representation from international organizations and governments, academia, vulnerability tool providers, data consumers, security researchers, the operational technology industry, and the open-source community,” according to CISA’s paper outlining its new approach.
The agency says it will also evaluate mechanisms for diversified funding and hopes to modernize CVE with more rapid implementation of automation and other capabilities. To achieve transparency, CISA says it wants to seek community feedback and open dialogue with global partners.
Finally, CISA further plans to improve CVE record quality and will prioritize improvements in these areas appropriate to the unique roles that certified number authorities of last resort (CNA-LR) play in the ecosystem.
However, CISA has been dealing with massive funding cuts and staff layoffs since January, including the firing of nearly 200 workers at the start of the government shutdown on Oct. 1. It is also a particular object of enmity for the director of the White House’s Office of Management and Budget, Russell Vought, who, when he spearheaded Project 2025 for the Heritage Foundation, wanted to get rid of the agency altogether. Moreover, the White House nominee to lead CISA, Sean Plankey, has yet to be confirmed.
The murky future of CISA has only elevated the calls by some vulnerability experts that the CVE program must quickly be removed from U.S. government control. One leading vulnerability scientist, who asked not to be named to speak freely on political issues, told CyberScoop that “people are looking for solutions that involve more private sector and less government action. This was true with the drama earlier this year, and is only intensifying with the layoffs at CISA, and now the shutdown.”
Fox is another skeptic who questions whether CISA is a trustworthy vehicle to govern the CVE program, referencing a report where a whole bunch of security researchers from CISA were pulled “to focus on immigration or something like that.”
Not all experts agree that CISA should be eased out of a governing role over the CVE program. Nicholas Leiserson, senior vice president for policy at the Institute for Security and Technology (IST), said during a recent cybersecurity conference that “we’ve heard public commitments from CISA that they’re going to continue to support the program, and that’s good.”
“I think there’s still an opportunity for the US government to play, and they should be playing a vital role in funding this,” Mitchel Herckis, global head of government affairs at Wiz, told CyberScoop.
As for the experts running the alternatives, they say that CISA has not reached out to them to discuss the ambitious changes it outlined in the agency’s vision. “Talking with a lot of people in the vulnerability management ecosystem, in which I participate, and talking to other nonprofits and people who are very much associated with this, CISA has not contacted them,” Pete Allor, chairman of the CVE Foundation, told CyberScoop.
Global Vulnerability Catalog
While CISA outlines one path forward, think tanks and policy groups are sketching out others, most notably, a proposal from IST that would globalize the vulnerability naming model.
On Oct. 8, IST released a position paper that serves as a “blueprint” for the next 25 years of the program. This document, of which IST’s Leiserson is a lead author, advocates creating a Global Vulnerability Catalog or GVC that, like CVE, relies on unique identifiers for maintaining and providing access to a catalog of actionable cybersecurity vulnerabilities.
The blueprint envisions that the GVC will start with the CVE program and build from there, with an expanded pool of board members, a diverse array of funding mechanisms, and the U.S. government, including the White House’s Office of the National Cyber Director, providing governance.
Leiserson stresses that diversity of funding is key under the GVC model. “Diversity is the most important thing, and that’s diversity from other governments,” he told CyberScoop. “It’s diversity from a diverse pool of industry. It’s diversity from philanthropy and other foundations, but diversity is critical and is core to our thesis.”
And yet he points to one of the biggest risks in having multiple governments participating in the GVC program, which is fragmentation. “The advantage of a global vulnerability catalog is that it’s singular,” he said.
“You need one of those, and you lose almost all of the utility out of it once you start seeing fragmentation,” he added. “And the greatest risk from fragmentation is from governments. If you don’t have strong governmental buy-in, and that means as part of the governance and as part of the funding stream, you’re going to run into problems.”
CVE Foundation
The CVE Foundation offers one of the most visible alternatives to the current system. It began advocating to replace the CISA-MITRE model as the brief funding crisis got underway in March.
Unlike some vulnerability experts, who call for transition periods of at least a year, Allor thinks it would be relatively easy to transition the current CVE system from CISA and MITRE to his nonprofit model. “CVE is just a namespace,” meaning that it’s just a set of unique identifiers, he told CyberScoop. “So if the United States government, through CISA, is basing a strategy on CVE, then I think they need to seek other employment.”
Allor would like to see governments participate in the foundation, but not play a governance role, which is a difficult needle to thread. “The problem for governments is they like to say, ‘Well, I came in with money and I get the vote and all that,” he said. “Guess what? You’re just somebody who helps contribute dollars. That doesn’t give you a veto or an override for everyone else.”
Allor says he is very close to being able to transition CVE to the foundation, with “one financial backer right now who’s asking us to come forward with another backer publicly,” he told CyberScoop. “I think then you’ll have some national governments and a regional government body, and a whole bunch of other private-sector backers that will come forward.”
Allor predicts these backers will go public within weeks, not months.
Disputes remain about how much CISA currently invests in the program. Some sources say it’s $60 million per year, while other sources say it’s closer to $25 million. Allor says the foundation is working off a budget that is in the “low eight-figure” range.
Time is of the essence
Whether any of these competing models win out remains uncertain, but time is running short before the next funding cliff arrives.
Allor says that the 11-month extension keeping the CVE program afloat expires March 6, 2026, so CISA must act quickly to avoid another funding crisis — a scenario that’s unlikely given the agency’s current level of disarray and the broader government shutdown turmoil.
Alternatively, one of the competing models, such as the GVC or the CVE foundation, needs to act quickly to avoid a CVE disaster. Yet several experts say the world will not end if CISA fails to provide continuity in the CVE program and a temporary lapse ensues.
“In the case where that happens and the CVE program ceases to be a priority for the U.S. government, third parties will pick it up, whether that’s our friends in Europe or a consortium like the CVE Foundation comes together,” Ben Edwards, principal research scientist at Bitsight, told CyberScoop.
“And it’s nice that the frameworks, the infrastructure for the most part, are open,” he added. “You can go download the CVE frameworks. A lot of the stuff that MITRE does to run in the background is available through the CVE program. I don’t see it as impossible for another organization to take over that governance.”
The post Behind the struggle for control of the CVE program appeared first on CyberScoop.
Following a funding scare that nearly shuttered the CVE program, outside experts and CISA are positioning to take charge of the 25-year-old system before the next funding crisis hits.
The post Behind the struggle for control of the CVE program appeared first on CyberScoop. Read MoreCyberScoop
