The Common Vulnerabilities and Exposures (CVE) Program has become the cornerstone of vulnerability management. Nearly all technology vendors and service providers identify vulnerabilities with CVEs when they publish security advisories. Most security products and services related to vulnerabilities support the use of CVEs. CVEs are commonly used in everything from incident response activities and global governmental CERT advisories to industry and research papers on new threats and vulnerabilities. And on a daily basis, operational staff around the world rely on CVEs when determining which vulnerabilities exist in their systems and reconciling vulnerability reports from multiple tools. Using CVEs ensures that the people and tools involved are all focused on the same vulnerability, so they can more effectively and efficiently coordinate their efforts to prioritize and address vulnerabilities.

The CVE initiative was started in 1999 by MITRE and a set of concerned security community members to address the need for a single unique identifier for each software vulnerability. The effort caught on quickly in the security vendor community, and the CVE Program was born as a global vulnerability index. As detailed in the CVE.org website, the mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. 

In 2016, the CVE Program was in crisis. It was far too slow at supplying CVE ID assignments because it was not designed to scale. The Program's hub-and-spoke system made everything go through MITRE, so meeting the demands of the community as the number of vulnerabilities skyrocketed was not possible. Various CVE stakeholder communities, including product vendors, open-source projects, and end-users, were deeply concerned and frustrated about the delays and backlog. The CVE Board, up until this time, had been an advisory council which was used infrequently. The CVE Board asserted a larger governance role, and MITRE granted the Board active oversight of CVE. The resulting changes to the CVE Program were significant.

The CVE Board defined a federated model establishing a new approach for governing how CVE would work and grow in the future. Under the Board’s direction and with significant effort from DHS/CISA and MITRE, the Program began actively expanding the number of organizations participating as CVE Numbering Authorities (CNAs). CNAs assign CVE IDs and add CVE Records to the catalog, one Record for each vulnerability, to communicate consistent descriptions of vulnerabilities.

Since 2016, the CVE Program has grown from 23 to 453 CNAs from 40 countries, with expansion continuing. Also, to further improve Program scalability, APIs were built so CNAs could get CVE IDs without human intervention and could provide their CVE information directly to CVE.org. 

The CVE Program has carved a role in cybersecurity that is based on trust: trust that the program is adequately resourced, trust that the program is governed in a way that is transparent, and trust that the program is responsive to the program’s stakeholders. Trust is gained in drops and is lost in buckets. Recent events have eroded this hard-won trust.

Current Challenges

Since its inception, the CVE Program has operated as a solely US government-funded initiative, first funded by NSA and NIST, and now funded by DHS/CISA under contract with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a Federally Funded Research and Development Center (FFRDC) operated by MITRE. The HSSEDI FFRDC is a private-sector entity that operates under the sponsorship of the US government to conduct research and development. While this structure has supported the program’s growth, with all due credit to MITRE and US government funding, it has also long caused concerns among members of the CVE Board and the public about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.

These concerns were brought to the forefront again following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government did not intend to renew its contract for managing the program. While the contract issue was resolved without impact to the CVE Program’s operations, this event clearly demonstrated how unique of a dependency the funding for the CVE Program is and how disastrous the threat of a lapse can be to the trust the program has earned over the past 25 years. Another lapse can happen at any time while relying on a single-funder model. This creates an ongoing existential risk for the program.

The CVE Program is a public good, supported voluntarily by a large group of individuals, governments, and corporations, where trust and confidence are key currencies that CVE operates on. In the absence of this trust and confidence in the Program, many participants are asking if alternatives should be pursued to reduce operational risk. We believe that fragmentation of vulnerability identification will be disastrous, leading to higher costs for software maintainers, delayed or inconsistent vulnerability response, increased exposure to exploitation, and an overall erosion of trust in global vulnerability coordination and management. The lack of a unified global vulnerability index will make the world less safe.

To maintain CVE as a global resource, a diversified funding model is needed to ensure such a lapse in funding never happens. Through diversification in funding, trust must be restored and grown by making sure the threat of a lapse never happens again. The current use of an FFRDC, which can only be funded by the US government, makes diversifying funding sources nearly impossible as compared to a neutral, independent nonprofit that is established specifically for CVE.

The following additional challenges currently exist for the CVE Program:

Insufficient stakeholder and international engagement: 

• A lack of engagement with software maintainers has resulted in negative opinions of the CVE Program due to misunderstandings about how the process works or how to work with the program to address questionable vulnerabilities. The program needs to partner more globally to talk with and educate stakeholders and better understand their needs.

• CVE Program sponsorship has been an area of concern for many for years, with many organizations concerned about the program being “owned” by the US government, during a time when the US is focused more domestically. Hardware and software are produced globally, and vulnerability identification and information sharing need to support participants in this broad global ecosystem.

• Communication with the downstream users of CVE data is challenging as well. There is no “list” of consumers: it’s an amorphous group.

• Federation has focused largely on adding CNAs to the MITRE- and CISA-operated roots. To scale the CVE Program further, more roots need to be cultivated to federate the management of CNAs. This creates more bandwidth to address data quality and production challenges, which are both technological and administrative.

Slow pace of innovation: 

• While CVE saw a burst of innovation between 2016 and 2019, the operational response since has been mixed. The service APIs that allow for CVE identifier reservation, record publication, and enrichment have been a catalyst for growth. The development of these critical services has been too slow, with features that should take a few months to complete taking a few years. The CVE Board has been raising concerns around this since 2019, and only a few services from the original design have been launched in the past seven years.

• CVE Program stakeholders have been waiting for years for the additional services needed to allow this larger federation of CNAs to communicate and work together more effectively. These services are needed to make it easy for CNAs to communicate about assignment scopes and to coordinate publication to reduce duplicate assignments, for software maintainers to contact a CNA with concerns about an assignment, and to support a dispute process that is timely, transparent, and fair in making decisions. 

• Email is a primary mode of communication within the CVE Program and a primary means of communication and participation with CNAs and other stakeholders. Ticketing and other communication mechanisms have been suggested by the CVE Board, but the CVE Secretariat continues to focus on email.

• In general, service development needs to be significantly more responsive to stakeholder needs. The current approach for developing and maintaining these services is not working well and needs to change. Greater resources must be devoted to service development, and greater transparency and oversight is needed around how financial resources are used in this area, ensuring that crucial services are delivered within reasonable timeframes.

The CVE Foundation

The CVE Foundation aims to support the transition of the CVE Program from a single funding stream to a diversified funding model, which we believe will only strengthen the program and enable a stable, durable, internationally trusted program that works for the good of global consumers and organizations. This is our mission. We believe that this organization needs to exist outside of sole governmental control and is best suited under a public, nonprofit operating model, allowing global participation, funding, and transparency.

To manage the outstanding growth of the CVE Program and prepare for the new challenges we see on the horizon, we believe it is time to evolve the CVE Program to its next stage. Addressing this next stage requires a new funding and governance model. We have a unique opportunity to transition key aspects of the CVE Program to an organization that can be funded by a diverse group of organizations, including other foundations, governments, and commercial entities.

There are many successful examples of transferring initiatives from the US government to a publicly managed service or program, including DARPA transitioning the ARPANET into the Internet, with the Internet Engineering Task Force (IETF) managing Internet standards, the Internet Assigned Numbers Authority (IANA) managing protocol assignments, and Internet Corporation for Assigned Names and Numbers (ICANN) managing Internet names and addresses, which all started with the government being the single source of funding. These transitions have enabled the Internet to fuel tremendous economic growth that touches almost every aspect of our lives by shifting from the speed of government to the speed of technology innovation. 

For the CVE Foundation to achieve its vision, it needs a robust financial strategy that ensures sustainability, growth, and neutrality. This strategy will revolve around diversifying income streams, practicing prudent financial management, and using these resources to invest strategically to deliver value to the cybersecurity community.

• Diversified Funding Sources - The CVE Foundation will not rely on a sole source of funding. A blend of grants, sponsorships, and donations will be cultivated to ensure a balanced, rolling revenue stream over time. Seeking philanthropic contributions from foundations that support technological advancement and cybersecurity initiatives will be a key aspect of developing income streams.

• Creating an Endowment Fund - Creating an endowment fund that provides a financial bedrock for the CVE Foundation will ensure that operations can continue regardless of external economic fluctuations. Encouraging long-term investments from stakeholders who are committed to the CVE Foundation mission will ensure that core services are not disrupted.

The independent structure of CVE Foundation is the cornerstone of its proposed effectiveness and reliability. By ensuring that the CVE Foundation is free from unique external pressures and conflicts of interest, the CVE Foundation aims to become the neutral, trusted global authority and partner on cybersecurity vulnerabilities. 

In doing so, the CVE Foundation plans to partner globally. For example, the work that CISA has been doing to organize industrial control system providers has been an area of great success for the CVE Program. The CVE Foundation intends to continue to work in partnership with CISA to ensure that this important work continues and expands. There are also opportunities to continue partnerships with organizations in the European Union (EU), such as with ENISA's EU Vulnerability Database (EUVD), as well as many others that are currently working with the CVE Program. The CVE Foundation is committed to seeking, growing, and maintaining partnerships globally to keep the vulnerability ecosystem united and to ensure it is thriving.

Today, the CVE Foundation is in the process of becoming operational. Our vision for the CVE Foundation is to build on the CVE Program’s current capabilities with the following attributes:

• Expanded International Governance - The CVE Foundation’s governance model needs to ensure that the Foundation is a neutral place where CVE producers and consumers, big and small, can work together without any party having undue influence. The structure of the Foundation needs to have mechanisms to ensure this.

• Transparent Financial Operations - The CVE Foundation will provide more detailed financial reports to stakeholders to increase transparency and build trust in the CVE Foundation’s stewardship of funds. Financial performance metrics will be made available to the public to demonstrate commitment to accountability, including how the Foundation supports CNAs, Roots, and CNA LRs. The Foundation's open reporting will be based on strict financial controls and governance to manage funds effectively, including open reporting of the funds used to perform tasks, while accounting for milestones and deliverables, as well as reporting of monies received and monies spent as demonstrated in nonprofit annual reports. Financial reports will be reviewed by the CVE Foundation Board and stakeholders for accountability and governance.

• Responsive Service Development - Provide new services that enable the CVE Program to continue to scale and become more efficient while lowering the cost of CVE production for participants and lowering the cost of consuming CVE records for end-users, vulnerability databases, and others. Examples of issues to be solved include a contact directory, scaling of operations, support for federation, support for communication, and better enablement of CNAs and the supporting hierarchy.  

• Consistent and Stable Infrastructure - Implement an ecosystem infrastructure that is globally diverse and mirrored for demand to support all regions, improve availability, and lower latency. Endowment will ensure ongoing support for this infrastructure over the long term.

• Inclusive Community Growth - Establish strategic partnerships with private-sector companies, nonprofits, and communities that benefit from CVE data for their operations, encouraging them to contribute to the Program. Develop a means to drive higher-bandwidth communication with users of CVE to collect actionable feedback. Continue to grow the number of participating CNAs, and provide additional tooling and services to make CVE production easier and data quality better.

• Culture of Innovation - Increase community outreach to identify new opportunities and encourage strategic experimentation with new features and technology where possible.

The CVE Program has earned a central role in global cybersecurity through over 25 years of hard work, innovation, and trust. To secure its future, we must act decisively now — by expanding its funding base, its governance model, and its operational independence.

The CVE Foundation is ready to lead this evolution — building on CVE’s legacy to create a resilient, global, trusted platform for vulnerability coordination into the next generation.