The CVE Program Regains Funding: A Critical Juncture for Global Cybersecurity

If you’ve spent any amount of time in cybersecurity, you’ve likely encountered the CVE (Common Vulnerabilities and Exposures) Program. It’s a foundational piece of how we identify and talk about security vulnerabilities as an industry. Over the past 24–36 hours, the cybersecurity world has been buzzing with updates about the future of this essential program. 

Initially, it was announced that MITRE’s CVE Program would lose its federal funding, raising serious concerns about its continuity. However, in a significant turn of events, the government has now granted an 11-month extension to ensure that these invaluable services continue—for now.

The Timeline of Events

• April 15th: The announcement of the funding loss initially sent shockwaves through the cybersecurity community. Questions immediately arose about how MITRE and the CVE Program would manage such a monumental shift.
  
• April 16th: The CVE Board revealed that they had been preparing for this possibility for over a year, with plans to transition the program to a dedicated non-profit foundation.
  
• April 16th: Just as the community began grappling with these implications, news broke of an 11-month extension of federal funding for the CVE Program. While this extension provides temporary relief, it’s clear that the program’s long-term sustainability remains uncertain.

While this interim funding is great news, it highlights deeper, systemic issues about how we fund and sustain critical infrastructure in cybersecurity. Let’s break down the timeline, the challenges, and what the industry must consider moving forward.

What is the CVE Program?

Established in 1999, the CVE Program introduced a standardized way to catalog and reference cybersecurity vulnerabilities. Think of it as a shared language—a CVE ID allows researchers, vendors, and defenders to speak clearly and consistently about a specific issue, whether it’s a buffer overflow in an open-source library or a newly discovered zero-day exploit.

MITRE, the nonprofit that manages the program, has played a critical role in maintaining this infrastructure. Over the years, CVEs have become deeply embedded in vulnerability management systems, penetration testing workflows, and patching strategies. Without them, our ability to coordinate and respond to threats would be significantly hindered.

Why CVEs Matter

For more than two decades, the CVE Program has helped the industry:

• Accelerate Incident Response: CVE IDs help teams quickly identify affected assets and prioritize remediation.
  
• Standardize Vulnerability Reporting: Researchers and vendors rely on CVEs to publish advisories in a consistent format that’s recognized globally.
  
• Enable Security Automation: Vulnerability scanners, SIEMs, and other tools use CVEs to detect and act on known issues efficiently.
  
• Facilitate Collaboration: CVEs connect the dots between government agencies, private companies, and independent researchers working toward a common goal.

On a global scale, CVEs provide even more value:

• Coordinate International Response: Shared identifiers streamline efforts across borders when responding to active threats.
  
• Enhance Supply Chain Security: Many organizations rely on CVEs to understand downstream risks from third-party software components.
  
• Support Compliance Efforts: Frameworks like NIST and regulations like GDPR often require robust vulnerability management practices—many of which are built on CVEs.
  
• Promote Transparency and Trust: A standardized system fosters clearer communication and accountability across the digital ecosystem.

A Single Point of Failure

The events of the past few days underscore a critical vulnerability: the CVE Program’s reliance on a single funding source. While the extension is a temporary reprieve, the underlying issue remains. A single stream of funding is a single point of failure—and when that funding is tied to government contracts, it introduces additional risks, from shifting priorities to bureaucratic delays or abrupt cutoffs.

This moment should serve as a wake-up call for the global cybersecurity community. The sustainability of critical infrastructure like the CVE Program cannot rest on the shoulders of one organization or one contract. It’s time to think bigger—and more collaboratively—about how we secure the future of this essential resource.

The Role of the CVE Foundation

Amid all the uncertainty, one announcement stood out: the launch of the CVE Foundation. Founded by a coalition of longtime, active CVE Board members, the foundation has reportedly been in development for over a year. Its stated mission is to:

“Focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”

The CVE Board’s proactive efforts to establish a nonprofit CVE Foundation are encouraging. This transition could open the door to new funding models, including:

• Private Sector Support: Tech companies that rely on CVEs for their own security operations could play a larger role in funding the program.
  
• Public-Private Partnerships: Governments and industry stakeholders could collaborate to create a more stable, diversified funding base.
  
• Global Contributions: International organizations and governments could share responsibility for supporting a system that benefits everyone.

The CVE Foundation also presents an opportunity to rethink how we approach vulnerability tracking and coordination. Could this shift lead to innovation in how CVEs are assigned, updated, or integrated with other systems? Could it foster stronger international collaboration? These are important questions to ask as we navigate what’s next.

My Perspective

The past few days have been a rollercoaster for the cybersecurity community. While the 11-month extension is welcome news, it doesn’t solve the deeper structural issues we’re facing. The CVE Program has quietly supported nearly every corner of cybersecurity for decades—and it’s time we give it the attention, governance, and resources it truly deserves.

Even with this extension and the emergence of the CVE Foundation, there will likely be a period of uncertainty. Delays in CVE assignments or coordination gaps are still possible as funding structures shift and responsibilities transition. During this time, the community will need to step up—to police the gaps, share information, and support one another.

This may also create space for new contributors, new models, and new thinking. We may see the rise of additional private sector initiatives or collaborative frameworks to supplement the CVE Program during this time of change.

Whatever happens next, this moment is a powerful reminder of the importance of shared, open infrastructure in cybersecurity. If we want systems like CVE to remain resilient, we must show up—not just when things break, but to help build what comes next.

Victoria Mosby Sr. Sales Engineer Victoria Mosby is a cybersecurity nerd who has worn many hats—ranging from GRC and consulting to mobile security and pentesting. She has a soft spot for storytelling, whether she’s breaking down pentest workflows, demystifying compliance risks, or helping teams build stronger security strategies. By day, she’s a Senior Sales & Solutions Engineer at PlexTrac, helping security teams ditch spreadsheets and outdated workflows to work smarter, not harder. By night, she’s probably crocheting spooky plushies, playing D&D, or singing karaoke. She believes cybersecurity should be human, helpful, and just a little bit fun.