The past few days have seen the yo-yo effect in full swing, as the Mitre contract with the Cyber Infrastructure Security Agency (CISA) to maintain the U.S. CVE (Common Vulnerabilities and Exposures) database appeared to have not been renewed (Mitre issued a statement on April 15). At the last moment, a change occurred, resulting in the reversal of that decision and renewal of the CVE database contract with MITRE.
CISA rethinks
Meanwhile, CSO reports that CISA sent the publication a statement saying, “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
Invaluable is an understatement, as evidenced by Jen Easterly, former director of CISA who proffered up some plain speak via a public post on LinkedIn. “Think of the CVE system like the Dewey Decimal System for cybersecurity. It’s the global catalog that helps everyone—security teams, software vendors, researchers, governments—organize and talk about vulnerabilities using the same reference system. Without it:
- Everyone is using a different catalog or no catalog at all
- No one knows if they’re talking about the same problem
- Defenders waste precious time figuring out what’s wrong
- And worst of all, threat actors take advantage of the confusion.”
She continued, with her bottom line, “The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity. Losing it would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage. For your business, this could mean:
- Increased risk of breach or ransomware
- Higher costs for security and compliance
- Lost trust from customers and regulators.”
CVE criticality
Easterly has it right. CVEs play a critical role in cybersecurity, accomplishing the following:
- Standardized identification – universal identifiers
- Awareness and Transparency – detailed dissection providing software vendors and IT teams to stay abreast of the risks
- Patch Management – keeping order in the chaos of software updates and patches
- Proactive Security – enables security teams to be proactive with measures to protect vulnerable assets
- Benchmarking and Compliance – CVE’s appear in compliance and benchmarking frameworks, entities which have satisfactorily addressed a given CVE are demonstrating their cybersecurity robustness.
Whether CISA will renew the contract after the option period concludes remains to be seen. This exercise served to energize industry. The stand-up of the CVE Foundation is but one action taken by industry. The Foundation said in their public statement, “Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”
CVE Foundation is created
The Foundation continued, “This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility. In response, a coalition of longtime, active CVE Board members has spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
Kent Landfield, an officer of the Foundation noted, “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself. Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
Europe’s vulnerability database
The European Cyber Security Organization (ECSO) highlighted the ramifications: “Without efficient management of vulnerability identifiers, the cybersecurity of critical infrastructure, systems, and products is at risk. Both private and public entities will face substantial challenges in exchanging information about vulnerabilities, comparing reports, sharing advisories, and, most importantly, swiftly managing security patching.”
Additionally, the European Union Vulnerability Database does exist and serves as a reminder to those in Europe who looked inward that not all solutions need to be found in the United States.
