Frequently Asked Questions

What do you believe?

We believe that CVEs are the cornerstone of cybersecurity defense. Without a common language to communicate about vulnerabilities, chaos follows. This is why the CVE Program was created 25 years ago and it is even more true today. We believe in a free, publicly available resource that serves a global community. We believe that, in order to achieve a stable long term solution, CVE needs to be funded by many entities and not one single point of failure. We are leading by building a coalition of like-minded organizations. 

What is your mission?

To ensure continued long term international participation and stability of the CVE Program as a publicly available resource. To deliver a world-class user experience for all that contribute to and use CVEs. We want to work with CISA, MITRE, and the international CVE community to create a long-term home for the CVE Program that ensures consistent, long-term, multi-stakeholder funding, which will allow the Program to continue to grow to address the needs of the vulnerability management community. 

Why now?

No time like the present.  ¯\_(ツ)_/¯ The original coalition of the willing was formed as a loose group of individuals that share a common goal of helping the CVE program evolve and succeed. The group wanted to explore options for growth and stability. However, confusion resulting from the April 15, 2025 letter addressed to the CVE Board has compelled us to plan for contingency with a sense of urgency to prevent disruptions to global cybersecurity defensive operations. The group felt the need to reassure stakeholders and consumers in the CVE ecosystem, provide a sense of continuity, and show support. 

The promise of temporary funding, while greatly appreciated, does not eliminate the need for business continuity planning to prevent single point of failures in the CVE program. 

How are you different?

We are thought leaders in the CVE Program who have been working with our CISA, MITRE, and CVE Board colleagues, within CVE as volunteers for years, striving to evolve the Program over time without being encumbered to any one organization. We have had many collective successes, including the federated model that CVE is currently operating under. This model was designed to allow for the distribution of the day to day care and feeding of the CVE corpus to be managed by the CNAs via online APIs.  To thrive, the CVE Program needs to move faster and further in this direction to enable all stakeholders to provide the highest quality, enriched vulnerability information and enable more responsiveness to all stakeholders in shorter time frames.

Due to the funding extension, this effort has been given an 11-month timeframe to plan and execute. The Foundation sincerely wants to get to work with CISA and MITRE to collectively envision a better, more stable vision for the Program and put it in place.

Who are you?

We are a significant subset of the Official CVE Board that are concerned about the stability of the CVE Program and want to see the program healthy and thriving. Over the last few days our coalition has grown in number to include additional CVE Board members and long term participants in the CVE Program, and others from the vulnerability management community.  They are:

• Kent Landfield, CVE Board member and Chair of the CVE Strategic Planning Working Group *

• Lisa Olson, CVE Board member and Co-Chair of the CVE Tactical Working Group *

• Pete Allor, CVE Board member and Co-Chair of the CVE Vulnerability Conference and Events Working Group *

• MegaZone, CVE Board member, Co-Chair of the CVE Quality Working Group, Co-Chair of the CVE Vulnerability Conference and Events Working Group, and CNA Liaison 

• Tod Beardsley, CVE Board member and Chair of the CVE CNA Organization of Peers

• Chandan Nandakumaraiah, CVE Board member, Ex-Chair of the CVE Quality Working Group, and Lead for Project Vulnogram

• David Waltermire, CVE Board member and Co-Chair of the CVE Quality Working Group

• Karen Scarfone

* Corporation's officers

Where are you located?

The CVE Foundation is a 501(c)(3) nonprofit, incorporated in the state of Washington, in the United States, and is subject to the laws and regulations there. 

How can I help?

We greatly appreciate the large outpouring of support we have received over the past few days. We have received hundreds of emails offering encouragement, financial support, and seeking more information. We are working as quickly as we can to read and consider every email. At this time we are seeking additional financial support so we can move forward more quickly. 

Please email us at info@thecvefoundation.org