Good news, everyone!
I just dropped off the regularly scheduled CVE Board meeting (which I often go to, seeing as how I’m on the CVE Board), and wanted to share a quick update with all my infosec friends on the state of the CVE program, from my own point of view as a CVE Board member (and not speaking on behalf of the CVE Board). TL;DR: CVE continues to CVE, without an interruption in funding.
To recap:
Yesterday, on April 15, 2025 (does US Tax Day make this ironic?), Yosry Barsoum of the MITRE Corporation informed the CVE Board that there was a potential risk to the continued operation of the CVE program, with scary phrases like “will expire” and “break in service.”
This communication to the CVE Board leaked almost immediately — I didn’t see it in my email until I heard about it in about a dozen Signal chats I’m in.
Cue a day of widespread hand-wringing for most vulnerability intelligence professionals and hobbyists. But today, April 16, 2025, news attributed to CISA indicated they had found a solution late last night. From what I understand, CISA “executed the option period” on the contracting with MITRE, which means that CISA will continue to fund MITRE for CVE services for the next eleven months, give or take.
At the CVE Board meeting, we spent most of the time there with representatives from CISA (the funding organization of CVE) and MITRE (the operators of CVE). I won’t get into the weeds, but I will say that both organizations reassured the CVE Board multiple times and in as much clarity as humanly possible, that the CVE program will continue unabated.
Of course, while CVEs do not encompass the full scope of network security issues, I think we can all agree that they are still a critical component to track as part of a robust security program. Over the last 25 years, the CVE program has evolved into a critical, shared, and global resource that ultimately helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue. (That said, if you want to dive into all of the other non-CVE exposures that we here at runZero think are equally important to detect and prioritize, we encourage you to join us for our webcast with Omdia on April 23rd!)
I look forward to continuing my side-gig as a CVE Board member and remain passionate about improving the CVE program to better serve the needs of the world's IT heroes — capes or no capes.
