Despite Last-Minute Reprieve, Fresh Approach and Ownership Required, and Soon
Life comes at you fast when you’re the world’s authoritative source of information about software vulnerabilities.
See Also: Live Webinar | Resilience in Crisis: Rebooting Your Minimum Viable Company Fast
The Common Vulnerabilities and Exposures Program, run by federal contracting firm Mitre, faced imminent disruption earlier this week, when the program’s U.S. Department of Homeland funding looked set to expire (see: Cybersecurity Alarms Sound Over Loss of CVE Program Funding).
Experts warned that the vulnerability information-sharing program, launched in 1999 and run since then by Mitre, is essential. Proper operation of bug-coordination efforts, national incident response, critical infrastructure and all manner of security tools rely on CVE data.
At the eleventh hour, “CISA, which is a part of DHS, stepped up and exercised an option in the contract that allows for funding for the next 11 months so we’re in no immediate danger, which is great,” said Tod Beardsley, VP of security research at runZero and a CVE Program board member.
The U.S. Cybersecurity and Infrastructure Security Agency said that Mitre, which has run the CVE Program since its launch in 1999, can continue to do so until early March 2026.
This is a temporary solution. Clearly, the U.S. government wants rid of CISA paying for the CVE program. Someone else needs to seize the funding and governance reigns, and the opportunity to do so allows for creating a less U.S.-centric endeavor.
“This is necessary; not only are we unlikely to return to the U.S.-funded, Mitre-run CVE-assignment system the industry has known for a quarter-century, we’re better off moving on,” said Chester Wisniewski, director of Sophos’ global field CTO program.
This isn’t the first hiccup in CVE land. Especially as the number of newly found vulnerabilities has risen in recent years, the program has struggled to keep up. With the number of assigned CVEs surging from 28,818 CVE in 2023 to 40,009 in 2024, the program’s ongoing decline looked set to intensify further.
Privately funding Mitre to bolster the program likely isn’t an option, because of the way the contractor has been congressionally chartered, experts say.
Spinning off the CVE program as its own as a non-profit entity seems a logical next step. This already seemed like the most likely emergency fix, after a leaked Tuesday letter from Mitre to CVE Program board members warned that funding would expire on Wednesday, until it didn’t.
Within that gap, some CVE program board members – including very long-time member Kent Landfield – announced the launch of a new, dedicated non-profit organization called the CVE Foundation.
“Some folks on the board – myself included – have been advocating for a more distributed funding model for CVEs, through the CVE Foundation,” said Beardsley, who until recently served as CISA’s vulnerability response section chief, including working on its Known Exploited Vulnerabilities catalog, which relies heavily on CVEs.
The new foundation has pledged to “focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide,” in a more neutral and sustainable fashion.
Other approaches are also being tried out. The EU’s cybersecurity agency ENISA announced the launch of its own vulnerability database, the EUVD. Also announced: the Global CVE Allocation System, or GCVE, although it’s designed to only serve as a CVE Program add-on.
Many organizations already contribute to the Mitre-managed CVE Program, including in the form of the CVE Numbering Authorities, or CNAs, which can issue CVEs. “These are often software vendors – including Sophos – who issue them to identify vulnerabilities in their own products and then inform Mitre as each number is assigned,” Sophos’ Wisniewski said. “Alternately, CVEs can be assigned by CERTs – computer emergency response teams, generally existing at a national level – or by the CNA-LR.” This stands for the CNA of last resort, and is currently Mitre.
One elegant facet of the program is that a CVE can be issued for a vulnerability, even if the developer or vendor isn’t involved in the CVE Program itself.
Moving the CVE program wholesale to a new entity would carry numerous upsides, including consistency. From an automation standpoint, numerous security products ingest or otherwise rely on CVE data, which always comes in the form of CVE-YYYY-NNNNN, with Y denoting the current year and N the number. Alternative approaches, such as the EUVD, use a different numbering system and so wouldn’t be compatible with existing systems.
Sticking with an approach that already works and is international in scope has many upsides. “Without the CVE process, we don’t have any real way, besides legislation (which I’m arguing will help) to keep vendors honest and hold them to account,” said cybersecurity researcher Daniel Cuthbert in a post to social platform X.
Also, the industry has an abysmal track record of self-organizing or agreeing on a common nomenclature. Take so-called advanced persistent threat groups. What one firm calls a Typhoon, another codenames a Panda, Silhouette or Taurus. In reality, those names – among many others – get assigned by different researchers and firms to track similar sets of hacking activity tied solely, in this case, to China.
Good luck to anyone trying to quickly wade through the nomenclature. “This also applies to malware names, especially in the past – just look at a list of detections on VirusTotal,” Wisniewski said. “Not pretty.”
Clearly, we need CVEs, and a program under new management. “While CVEs do not encompass the full scope of network security issues, I think we can all agree that they are still a critical component to track as part of a robust security program,” Beardsley said. “Over the last 25 years, the CVE program has evolved into a critical, shared and global resource that ultimately helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue.”
The industry now has about 10 months to collectively get its act together to support and fund a program run by new management.