News

Released: April 25, 2025

Representatives from the CVE Foundation met with representatives from CISA on 4/24/2025.  The talks were positive and encouraging.  All parties wish to keep the conversation and progress moving forward.

Released: April 23, 2025

In the statement provided by CISA on April 23, 2025, Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, stated that CISA has “historically been and remain[s] very open to reevaluating the strategy to support the continued efficacy and value of the program.”  He went on to say “that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.”

We stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program, which has a 25-year legacy of bringing some order to the chaos of cyber-security vulnerabilities. The model of successfully transferring initiatives from the U.S. government to a publicly managed service or program has countless examples: DARPA turning the ARPANET into the Internet, IANA managing protocol assignments, and ICANN managing Internet names and addresses, which all started with the government being the single source of funding. In this same tradition, the CVE Foundation aims to support the transition of the CVE Program from a single-funding stream to a diversified funding model, which we believe will only strengthen the program and enable a stable, durable, internationally trusted program that works for the good of global consumers and organizations. This is our mission.

Released: April 16, 2025

CVE Foundation Launched to Secure the Future of the CVE Program

[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.

Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.

This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.

In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”

The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative. For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape.

Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.

For updates or inquiries, contact: info@thecvefoundation.org.