Following the sudden end of the Mitre contract for the CVE Programme, a group of vulnerability experts and members of Mitre’s CVE Board have launched a new non-profit to protect the program’s future.
The founders of the CVE Foundation aim to ensure the continuity and stability of the 25-year-old CVE Programme, which has relied on US government funding and Mitre’s management until now. Their concerns about the program’s sustainability intensified after a warning from Mitre’s Yosry Barsoum, highlighting the risks to this crucial cybersecurity resource. Kent Landfield, an officer of the foundation, emphasized the importance of CVE, stating, “CVE is a cornerstone of the global cybersecurity ecosystem and too important to be vulnerable itself.”
Cybersecurity professionals worldwide depend on CVE identifiers and data for their daily tasks, and losing access to this resource puts them at a significant disadvantage against cyber threats. The foundation has been preparing for a potential transition to an independent non-profit over the past year, ensuring that high-quality vulnerability identification and database integrity remain a priority.
Unlike Mitre, which has a broader research focus, the CVE Foundation will concentrate solely on the CVE Programme, aiming to solidify its status as a trusted, community-driven resource. This launch signals a critical step toward diversifying governance in the vulnerability management ecosystem.
While the CVE Programme continues to operate, reactions to the cancellation have been swift and critical. Tim Grieveson from ThingsRecon noted that the CVE framework is deeply embedded in security protocols, and its removal could disrupt collaboration among security teams. Delayed vulnerability reporting could lead to slower response times, giving cybercriminals an edge.
To maintain resilience during this shutdown, Grieveson urges security leaders to map out their dependencies on CVE feeds and APIs. Understanding their attack surface and collaborating with peers will be crucial in this uncertain landscape.
Chris Burton from Pentest People acknowledges the concerns about losing government funding for the CVE Programme but encourages a measured approach. He suggests that crowdfunding might offer a solution if the issue is financial, or a community board could take the lead if it’s operational. He remains optimistic, believing this could be a chance for the community to innovate rather than a cause for panic.
For immediate action, Grieveson advises security teams to:
1. Identify dependencies on CVE feeds and APIs to prepare for potential disruptions.
2. Seek alternative sources for vulnerability intelligence, ensuring comprehensive threat coverage.
3. Enhance intelligence sharing across industries to stay ahead of emerging threats.
The security community needs to stay proactive as it navigates this changing landscape.