By Gary Miliefsky, Publisher, Cyber Defense Magazine
Good news comes to us like a Windows patch Tuesday: Common Vulnerabilities and Exposures Program will continue operating with an eleven month continuation of its federal contract, according to CISA. It might, however, transition, over time, to the newly launched CVE Foundation, found online at https://www.thecvefoundation.org/, which states:
“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
In addition, BleepingComputer.com received and shared this update from the Director:
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE®) Program and the Common Weakness Enumeration (CWE™) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”
Yosry Barsoum, Vice President, Director, Center for Securing the Homeland, MITRE
Just in time — the Common Vulnerabilities and Exposures (CVE) system, a foundational pillar of global cybersecurity coordination, will continue uninterrupted. After public outcry and serious concern from cybersecurity leaders (myself included), the Cybersecurity and Infrastructure Security Agency (CISA) has announced it will extend funding to MITRE to ensure there’s no lapse in CVE operations.
Let’s be clear: the CVE system isn’t a luxury — it’s a necessity. Every major vulnerability database, threat intel feed, exploit prediction model (like EPSS), and vulnerability management platform relies on CVE IDs as the universal reference point. Without it, the entire industry would be navigating blind.
I’ve personally served on the CVE/OVAL advisory board. I’ve seen how much the industry depends on this program — from CISA’s KEV list to enterprise risk dashboards to open-source patching workflows to FIRST.org’s EPSS. It’s not just about compliance. It’s about real-time, actionable defense and our entire cybersecurity industry depends upon it.
That’s why the news of MITRE’s funding cliff sent shockwaves through the infosec world. But thanks to swift action by CISA, we have a temporary bridge.
Now comes the bigger challenge: ensuring sustainable, long-term support for CVE and related programs like CWE and OVAL. These aren’t optional initiatives. They’re part of the cyber defense backbone — and they must be funded, protected, and modernized for the threats of today and tomorrow.
For now, hats off to CISA for stepping in. But let’s keep the pressure on — we need permanent solutions, not last-minute rescues. Maybe The CVE Foundation will be the answer to the call.
Gary Miliefsky
Publisher, @CyberDefenseMag
@Miliefsky | www.cyberdefensemagazine.com
About the Author
Gary Miliefsky is the publisher of Cyber Defense Magazine and a renowned cybersecurity expert, entrepreneur, and keynote speaker. As the founder and CEO of Cyber Defense Media Group, he has significantly influenced the cybersecurity landscape. With decades of experience, Gary is a founding member of the U.S. Department of Homeland Security, a National Information Security Group member, and an active adviser to government and private sector organizations. His insights have been featured in Forbes, CNBC, and The Wall Street Journal, as well as on CNN, Fox News, ABC, NBC, and international media outlets, making him a trusted authority on advanced cyber threats and innovative defense strategies. Gary’s dedication to cybersecurity extends to educating the public, operating a scholarship program for young women in cybersecurity, and investing in and developing cutting-edge technologies to protect against evolving cyber risks.
