CVE Funding Model Sparks Debate
Published on May 11, 2025
Cynthia Brumfield from CSO Online writes about the CVE Program’s recent funding crisis, which threatened its operations and highlighted long-standing concerns over its sustainability. With MITRE’s federal funding for CVE set to expire, the cybersecurity community faced the alarming prospect of losing a cornerstone of vulnerability tracking. The crisis spurred the launch of the CVE Foundation, a nonprofit initiative aimed at securing diversified funding and ensuring the program’s continuity. Brumfield underscores the urgency of building a more resilient, community-supported model to safeguard global vulnerability coordination efforts.
The CVE Foundation would like to clarify some incorrect assertions that were made in this article.
The Foundation’s primary goal is to preserve CVE as the single, globally trusted source for vulnerability identification and enrichment information. We have no intention of creating an alternative to CVE. Fragmenting the ecosystem that has been built around CVE would, in our view, weaken global cybersecurity and make the world less safe.
The Foundation is committed to a model that welcomes the participation of all and supports government security bodies for global good.
We acknowledge the continued frustration surrounding the events of April 15, 2025. The Foundation is focused on moving forward productively—together with CISA, MITRE, and the global CVE community—rather than dwelling on the past.
To that end, we are talking with potential donors and partners, and we are committed to building strong, transparent relationships with both CISA and MITRE. Additional details on our path forward will be shared in the coming weeks.
There is important work ahead. Let’s get to work.