Citing global security for all, CVE board members have announced the creation of a new nonprofit CVE Foundation, aimed at taking the onus for funding the critical vulnerability database program out of government hands.
Established to ensure “the long-term viability, stability, and independence” of the Common Vulnerabilities and Exposures (CVE) Program, the foundation said its goal is to ensure that the existence of the “globally relied-upon resource” is not dependent on a single government sponsor.
On Monday, a “leaked” letter addressed to a CVE Board member, written by the MITRE Corporation, warned of an imminent shutdown due to a potential lapse in US government funding, sparking widespread condemnation in the security world.
Kent Landfield, an officer of the CVE Foundation, called the 25-year-old program “a cornerstone of the global cybersecurity ecosystem” and one that is “too important to be vulnerable itself.”
“Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work – from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats,” Landfield said.
Any long-term disruption to the CVE program would be “a direct threat to frontline cyber defense,” said Lorri Janssen-Anessi, Director of External Cyber Assessments at BlueVoyant.
“CVEs are the backbone of how we identify, prioritize, and patch vulnerabilities. Without a unified catalog, defenders are left chasing fragmented data across disconnected sources, slowing triage, breaking tooling, and increasing the risk of blind spots,” Janssen-Anessi said.
“Meanwhile, threat actors don't wait. They monitor CVE disclosures closely, often weaponizing vulnerabilities within hours or days,” explained the cyber director.
Without that centralized system, “defenders risk falling behind at the exact moment adversaries accelerate… putting every organization at greater risk and giving attackers the upper hand,” she added.
MITRE letter raised urgent concerns
The bold move to unite, triggered by this week’s potential shutdown of the intelligence tool, had been at least a year in the making, according to the newly formed organization.
“A coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation,” it said in an official release posted Wednesday on the foundation’s brand-new website.
The CVE Board comprises members from cybersecurity heavyweights, including Microsoft, Intel, Crowdstrike, Palo Alto, Red Hat, Cisco Systems, GitHub Security Lab, as well as representatives from CISA and the National Institute of Standards and Technology (NIST).
The missive came just hours after funding for the critical program was restored for 11 months in a Tuesday night Hail Mary by the US Department of Homeland Security, which governs the nation's Cybersecurity and Infrastructure Security Agency (CISA).
undefined Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
The Board said concerns became “urgent” after the letter from MITRE VP and Center for Securing the Homeland (CSH) Director Yosry Barsoum notified members that “the US government did not intend to renew its contract for managing the program.”
That letter, dated April 15th – only one day before funding was set to expire – was subsequently leaked to the public Monday morning, stirring panic throughout the security industry, with researchers quickly taking initiative to archive the entire 275,000-record catalog in case of a catastrophic loss.
"The impact of MITRE discontinuing their services would be significant,” said Darren Meyer, Security Research Advocate at Checkmarx Zero. The cybersecurity company’s work “underpins many of the most important cybersecurity activities organizations engage in,” he explained.
“If MITRE cannot obtain the funding to continue to offer the CVE and CWE databases (among other things), it will have a major impact on every industry; and it won’t just be US-based companies,” Meyer said.
Meyer further pointed out that although “many mature industry vendors, including Checkmarx, offer their own advisory databases that include and enrich relevant portions of that data, alternatives to and backups of MITRE’s databases are not the whole story.”
Noting that the CVE Program has been operating as a US government-funded initiative since its inception, the Foundation said it would provide further information about its structure, transition planning, and opportunities for involvement in the coming week.
“While we had hoped this day would not come, we have been preparing for this possibility,” it said.
Your email address will not be published. Required fields are markedmarked