CVE System grinds to a near halt

The Common Vulnerabilities and Exposures (CVE) system, a cornerstone of cybersecurity, recently faced a significant threat due to a near lapse in its funding. Here's a breakdown of the situation:

On April 15, 2025, MITRE, the non-profit organization that has operated the CVE program since its inception in 1999, announced that its funding from the U.S. Department of Homeland Security was set to expire on April 16, 2025. This funding gap threatened to halt the assignment of new CVE identifiers and potentially take the public CVE website offline.

The Trump administration planned to let the US government’s $44 million contract with MITRE expire — a contract that funds the Common Vulnerabilities and Exposures (CVE) program. CVE is the naming and tracking system that allows security researchers, governments, and software vendors to coordinate on known vulnerabilities. It’s how the open internet defends itself. With just hours to go, the contract was rescued in the last minute by another sate organisation - CISA - taking an option. But the damage has been done.

Security experts warned that a disruption could have catastrophic consequences, affecting national vulnerability databases, security tools, incident response efforts, and critical infrastructure worldwide. Without CVEs, organizations would lose a standardized way to track and address vulnerabilities, leading to confusion and making it harder to defend against cyberattacks.

Why CVE is Crucial

• Standardized Language: CVE provides a common language for identifying and discussing publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique CVE ID (e.g., CVE-2025-XXXX).
• Vulnerability Management: Security teams rely on CVE IDs to track vulnerabilities in their systems, assess risks, and determine necessary patches.

• Incident Response: Standardized CVEs allow for better correlation of threat intelligence and incident reports.
• Compliance: Many compliance frameworks and patch management policies reference CVE identifiers.

The Resolution (temporary)

• Temporary Funding Extension: The Cybersecurity and Infrastructure Security Agency (CISA) acted quickly and executed an option on the contract, extending funding for the CVE program for another 11 months. This averted an immediate crisis.
• Formation of CVE Foundation: A non-profit organization called the CVE Foundation has been formed to seek long-term stability and neutrality for the program. However, details about this transition are still emerging.

Ongoing Concerns and Potential Future Threats

• Single Point of Failure: The recent funding scare highlighted the risk of relying on a single government sponsor for such a critical global resource.
• Sustainability: The long-term funding and operational model for the CVE program remain uncertain beyond the current 11-month extension.
• Data Quality and Completeness: Even before the funding issue, concerns existed about the quality and completeness of CVE data, with some entries lacking detailed information or accurate severity scores.
• Timeliness: The process of assigning CVE IDs can sometimes be slow, leaving vulnerabilities unaddressed for extended periods.
• Coverage Gaps: Not all vulnerabilities are included in the CVE list, potentially leaving organizations unaware of certain risks.

Emergence of Alternatives

The funding uncertainty has accelerated discussions and the development of alternative or complementary vulnerability databases, such as the European Union Vulnerability Database (EUVD) and the proposed Global Cyber Vulnerability Ecosystem (GCVE), indicating a potential fragmentation of the vulnerability tracking landscape.

While the immediate threat to the CVE system has been mitigated with the temporary funding extension, the underlying concerns about its long-term sustainability and potential vulnerabilities in its operational model persist. 

---------------------------Press Release------------------

Statement from Matt Hartman on the CVE Program

Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity

The CVE Program is an invaluable public resource relied upon by network defenders and software developers alike. As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.

CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves. We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.

We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.

---------------------------End Press Release------------------

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more