Since 1999, the Common Vulnerabilities and Exposures (CVE) system has been widely used in cybersecurity and enterprise IT as a centralised repository and reference for vulnerabilities in software, hardware, and services, and it forms the basis for the US National Vulnerability Database.
The CVE system is paid for by the US Cybersecurity and Infrastructure Security Agency (CISA), then operated and administered by The MITRE Corporation, a not-for-profit company that manages federally funded research and development centres, known as FFRDCs.
The current US administration’s ‘FIRE – READY – AIM’ approach to cost cutting was to blame for what could have been a catastrophic loss. The funds to renew the expiring contract to The MITRE Corporation to run the CVE system were withdrawn. However, after much alarmed outcry, CISA has restored funding for at least 11 months, although renewal of the contact in 2026 is anybody’s guess.
CVE is crucial
It is hard to convey how crucial the CVE system is world-wide. Cybersecurity organisations would and could name new vulnerabilities in their own nomenclature. Each vulnerability could have a different name, number, and overall nomenclature, making it extremely difficult to identify the same vulnerability between cybersecurity organisations.
The CVE system solved that, providing a central naming authority and dissemination of vulnerability intelligence is used by every major Computer Emergency Response Team (CERT) and company across the globe. Stopping the CVE system, even for a brief time, would have had a considerable negative impact on the ability of every company, government and organisation to manage the risk of vulnerabilities.
Growing distrust of the current US government
This has been a wakeup call. Up until now, the CVE system has been steadily funded with the support of both US major political parties in rare agreement on the value of the system. Cuts to the CVE system were never discussed, the system worked well and is considered a success.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataNow, there is considerable trepidation in relying on funding solely by the US government. Several members of the CVE board have announced they have established The CVE Foundation, a separate non-profit group focused solely on maintaining the CVE service if funding for MITRE to operate it is lost again.
The European Union Agency for Cybersecurity (ENISA) has created the European Union Vulnerability Database, which issues IDs for vulnerabilities, but also lists the associated CVE ID. Work for this new database began in June 2024, before the CVE funding issue was widely known, and is a sign of growing distrust of US government control of the CVE system.
There is a real danger of information regarding vulnerabilities being splintered into multiple sources. When it comes vulnerabilities, there are no winners in a splintered system. Lack of central identification of vulnerabilities is what prompted the creation of the CVE system in the first place.
The utility of a world-wide vulnerability database, open for all to use is the only logical approach. Let us hope this wake-up call over the CVE system spurs more action to address all concerns and assure a standardised and centralised approach to vulnerability information.
