Frequently Asked Questions

What do you believe?

We believe that CVEs are the cornerstone of cybersecurity defense. Without a common language to communicate about vulnerabilities, chaos follows. This is why the CVE Program was created 25 years ago and it is even more true today. We believe in a free, publicly available resource that serves a global community. We believe that, in order to achieve a stable long term solution, CVE needs to be funded by many entities and not one single point of failure. We are leading by building a coalition of like-minded organizations.

What is your mission?

To ensure continued long term international participation and stability of the CVE Program as a publicly available resource. To deliver a world-class user experience for all that contribute to and use CVEs. The Foundation is focused on moving forward productively—together with CISA, MITRE, and the global CVE community— to create a home for the CVE Program that ensures consistent, long-term, multi-stakeholder funding. Diverse, stable funding will allow the Program to continue growing to address the needs of the vulnerability management community, without risk of future disruption.

Why now?

No time like the present. Our coalition started as a loose group of individuals that shared a common goal of helping the CVE program evolve and succeed. The group wanted to explore options for growth and stability. However, confusion resulting from the April 15, 2025 letter addressed to the CVE Board has compelled us to plan for contingency with a sense of urgency to prevent disruptions to global cybersecurity defensive operations. The group felt the need to reassure stakeholders and consumers in the CVE ecosystem, provide a sense of continuity, and show support.

The promise of temporary funding, while greatly appreciated, does not eliminate the need for business continuity planning to prevent single points of failure in the CVE program.

How are you different?

We are thought leaders in the CVE Program who have been working as volunteers with our CISA, MITRE, and CVE Board colleagues for years, striving to evolve the Program over time, without being encumbered to any one organization. We have had many collective successes, including the federated model that CVE is currently operating under. This model was designed to allow for the distribution of the day to day care and feeding of the CVE corpus to be managed by the CNAs via online APIs. To thrive, the CVE Program needs to move faster and further in this direction to enable all stakeholders to provide the highest quality, enriched vulnerability information and enable more responsiveness to all stakeholders in shorter time frames.

Due to the funding extension, this effort has been given an 11-month timeframe to plan and execute. The Foundation sincerely wants to get to work with CISA and MITRE to collectively build a better, more stable vision for the Program and put it in place.

Where are you located?

The CVE Foundation is a 501(c)(3) non-profit, incorporated in the state of Washington, in the United States, and is subject to the laws and regulations there.

How can I help?

Please visit our contact page, which has more information on how we can use your help.