CVE Program Funding Crisis and Future of Vulnerability Management

In April 2025, the cybersecurity community faced a significant crisis when the U.S. Department of Homeland Security initially decided not to renew its contract with MITRE for managing the Common Vulnerabilities and Exposures (CVE) program. This 25-year-old program, which serves as the global standard for identifying and tracking security vulnerabilities, was hours away from losing its funding before an 11th-hour reprieve extended support for another 11 months. The incident highlighted critical vulnerabilities in the vulnerability management ecosystem itself, revealing an over-reliance on a single funding source for a globally essential cybersecurity resource.

What is the CVE Program and why is it so critical in Global Cybersecurity

The CVE program serves as the cornerstone of global vulnerability management, providing a standardized system for identifying and tracking security vulnerabilities in software and hardware products. It assigns unique identifiers that enable consistent communication about vulnerabilities across the cybersecurity ecosystem. This standardization is crucial for effective vulnerability management, patch prioritization, and coordinated response to security threats.

The Funding Crisis and Last-Minute Reprieve

On April 16, 2025, funding for MITRE to operate the CVE program was set to expire. This created widespread concern throughout the cybersecurity community, with former CISA director Jen Easterly comparing the potential loss to "tearing out the card catalog from every library at once". After significant backlash, CISA executed an option period on the contract, ensuring no immediate lapse in critical CVE services. However, this extension only provides funding for 11 months, leaving long-term sustainability concerns unaddressed.

What are the alternatives?

The crisis has indeed accelerated the development of alternative vulnerability tracking systems:

• The CVE Foundation: Formed by members of the CVE board to create a more sustainable and neutral governance model not tied to a single government sponsor. Key figures behind the foundation include Kent Landfield, a founding member of the original CVE Program and a long-time cybersecurity industry leader. several companies are actively involved in supporting and shaping the CVE Foundation. The Foundation was established by a coalition of CVE Board members from leading cybersecurity and technology organizations, including Microsoft, Intel, CrowdStrike, Palo Alto Networks, Red Hat, Cisco Systems, and GitHub Security Lab.

• European Union Vulnerability Database (EUVD): Developed and maintained by the European Union Agency for Cybersecurity (ENISA), this alternative uses its own EUVD IDs alongside CVE identifiers. The EUVD was established under the NIS2 Directive to enhance the EU's cybersecurity posture by providing a centralized, transparent, and actionable repository of vulnerability information.

• Global CVE Allocation System (GCVE): A community-driven initiative that emerged during the funding crisis and representing a decentralized approach to vulnerability identification and numbering. Developed and maintained by the Computer Incident Response Center Luxembourg (CIRCL), GCVE aims to enhance flexibility, scalability, and autonomy in vulnerability management.

Fundamental Flaws in Current Vulnerability Management Approaches

The proliferation of systems risks fragmenting the previously unified vulnerability tracking landscape, potentially creating confusion and inefficiencies in vulnerability management. But we should not forget, that the vulnerability management itself has its own challenges:

Overwhelming Volume: With over 40,000 new CVEs published in 2024 alone, organizations struggle to keep pace with the sheer volume of vulnerabilities.

Prioritization Challenges: Only about 6% of vulnerabilities in the CVE dictionary have ever been exploited, making effective prioritization crucial but difficult.

Reactive Approach: The current vulnerability management paradigm is inherently reactive, constantly responding to new vulnerability disclosures rather than proactively reducing risk.

What can security teams do about it?

Security teams should take a proactive approach to managing vulnerabilities by diversifying their sources of vulnerability intelligence instead of relying on a single database. They can improve prioritization by using advanced risk-based models like EPSS or SSVC to focus on the most exploitable issues. Instead of reacting to individual vulnerabilities, teams should shift their strategy toward broader risk reduction, such as minimizing the attack surface, implementing network segmentation, and strengthening security baselines. It's also important to engage with vendors to understand how they plan to respond to changes in CVE availability. Lastly, teams should establish contingency plans to maintain operations in case of disruptions to vulnerability data sources.

Conclusion

The CVE funding crisis of April 2025 served as a wake-up call for the cybersecurity community, exposing critical dependencies and structural weaknesses in the global vulnerability management ecosystem. While the immediate crisis was averted with an 11-month funding extension, the incident has accelerated the development of alternative systems and sparked important conversations about the sustainability and effectiveness of current vulnerability management practices.

As the industry moves forward, there is both risk and opportunity. The risk lies in potential fragmentation of the vulnerability tracking landscape, which could create confusion and inefficiencies. The opportunity lies in reimagining vulnerability management to focus more on systematic risk reduction rather than just reacting to the endless stream of new vulnerabilities.