CVE Funding Drama
Thoughts on the CVE Program funding scare and what it means for cybersecurity
MITRE’s contract to run the CVE Program nearly expired without renewal. CISA stepped in at the last moment; but it exposed how brittle some of our most critical infrastructure is.
Contents
What happened?
MITRE, which operates the CVE Program under contract with CISA, was set to run out of funding on April 16. The CVE Program is responsible for assigning and managing vulnerability identifiers—something nearly every patch, exploit, and security tool depends on.
The renewal didn’t happen until hours before the deadline. If it had expired, the whole CVE system would have been thrown into uncertainty.
There’s now talk of spinning off the program into an independent foundation (the “CVE Foundation”) to make it more sustainable long-term.
Why it matters
This wasn’t a technical failure. It was a policy failure, and it nearly caused a major problem for anyone who relies on vulnerability disclosures.
- CVE IDs are the glue for vulnerability tracking. Break that, and you break everything from SIEM alerts to patch notes.
- The program isn’t backed by law or international agreement; it relies on a single US government agency renewing a contract on time.
- Most people assume CVE is like DNS: decentralised, reliable, always there. Turns out it’s not.
Thoughts going forward
- Decentralising the responsibility might help, but only if there’s still strong governance and funding.
- The security industry needs to stop taking these public infrastructure projects for granted.
- Worth keeping an eye on how the CVE Foundation proposal develops. Might be something to contribute to, or at least follow closely.
No action required on your part, but one to remember. Even the most “foundational” tools in cyber can turn out to be paper-thin if someone forgets to sign a form.