Ensuring the Longevity of the CVE Program

The Center for Cybersecurity Policy and Law’s CVE whitepaper raises awareness about the challenges facing the CVE Program, especially governance, transparency, and funding. It serves as a primer for policymakers and stakeholders to understand the issues that the CVE Program is facing.

Published on Jul 23, 2025

In the Spring of this year, a highly publicized funding snafu catapulted the CVE Program into the spotlight. For the past 25 years, the CVE Program has provided a means of consistent and aligned naming and categorization of cybersecurity vulnerabilities around the world. This enables technology developers, security researchers, and cyber defenders to speak a common language on the topic of reducing technical risk, which today affects every part of our lives.

The funding issue centered around a contractual disruption to the US Government’s sponsorship of the Program. The news cycle raised the question of what the future of such a critical program may be, but in truth, the question of funding is only the tip of the uncertainty iceberg, and arguably the most readily solvable problem. Across its 25 years, the CVE Program has faced considerable challenges and criticism, with persistent concerns raised over a lack of communication, transparency, accountability and investment into the Program.

Given the importance of the CVE Program, it’s not terribly surprising that various governments around the world are asking questions about its future. Ultimately, managing cybersecurity vulnerabilities is a matter of public safety. Governments should and do recognize that, making the question of funding, management, and governance of the Program even more sensitive and important. And since software, hardware and services are not produced, maintained, or consumed in a single jurisdiction, this must be a shared and global responsibility, and not one owned or controlled by a single nation.

Recognizing the heightened focus on this important issue, the Center for Cybersecurity Policy and Law has created a fantastic primer on the issue, which explores the history of the CVE Program, the recent developments, and the various criticisms and challenges. It does not attempt to dictate a solution, rather aims to help those looking for one better understand the dynamics and considerations at play.

The CVE Foundation vehemently believes the best path forward to preserve the critical service of the CVE Program is to transition it to a nonprofit entity with true international coordination, rigorous and transparent governance, and multiple funding sources from public, private, and nonprofit organizations.

The paper does not take a position on that as that’s not its job, but nevertheless, we feel it is a great baseline for anyone wanting to become more conversant with this topic. It’s straightforward and easy to consume, so if you’re curious on this topic, please give it a look, or share it with those you wish to educate on the exciting world of CVE! We strongly believe that more discourse on this thorny but important issue is necessary and valuable. Thank you to the Center for Cybersecurity Policy and Law for working to help create a baseline for such engagement.

View the LinkedIn Post