11 hours Ago By Jessica Lyons
Kent Landfield, a founding member of the Common Vulnerabilities and Exposures (CVE) program and member of the board, learned through social media that the system he helped create was just hours away from losing funding. "Another board member gave me a call and said: 'What the heck?'" Landfield recalled in an interview with The Register , although "heck" wasn't exactly the term used, he added. "But I went, and looked at the letter and said: 'Wait a minute, that should be in my inbox, because it is addressed to the board,'" Landfield said.
He's referring to the April 15 letter seen around the world after being shared on Bluesky. It opened with, "Dear CVE Board Member," and was signed by Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland. Not-for-profit outfit MITRE, based in Massachusetts and Virginia, has had a contract with the US government to operate the CVE program since its inception in 1999.
The program has become the de facto standard for uniquely identifying and tracking security holes in products and projects, and is used by experts, organizations, and government bodies around the world to ensure that they're all talking about the same specific bugs. Quite honestly, we were mushrooms. Kept in the dark In last week's letter, Barsoum told the board that funding from Uncle Sam for MITRE to run the program had not been renewed .
For Landfield and other board members, along with the general public, this was a complete surprise. The CVE board is made up of representatives from governments, academia, antivirus makers, the infosec world, and more, who steer and advise the program while MITRE handles the day-to-day operations. "Through open and collaborative discussions, the board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and the strategic direction of CVE," its charter states.
"Quite honestly, we were mushrooms," CVE board member Peter Allor told The Register . "Kept in the dark." While this wasn't the first time government funding issues had come up during the program's over 25-year history, "we weren't really told about them," Landfield said.
"It was a contract negotiation between the federal government and MITRE, and we were not in a position of governing as a board, we were mainly there as a high-level guidance and advisor to instruct the program on how things needed to work," he explained. By now, everyone knows how this story ends — or at least continues for 11 months. The US govt's Cybersecurity and Infrastructure Security Agency, aka CISA, on Wednesday said it had "executed the option period on the contract to ensure there will be no lapse in critical CVE services.
" The CVE board only found this out by reading the statement online. The contract, however, only runs through March 2026, calling into question its long-term sustainability — and exposing the inherent weakness of a global resource being funded by a single government sponsor. A single sponsor rapidly alienating allies around the globe, to boot.
"The US government needs to move this out from their sole funding and control for this global and collective problem regarding vulnerabilities and the enumeration of records," Allor said in a LinkedIn post. Behind the scenes, some members of the CVE board had been discussing these issues for almost a year: How do they ensure long-term funding and neutrality for the program? And how do they increase the resources necessary to ensure vulnerability information reaches network defenders in time to protect all of us? All of these discussions took place in private up until last Wednesday. Enter a new initiative: The CVE Foundation.
Its goal is to ensure that CVE remains a neutral, publicly available vulnerability resource with long-term funding from multiple groups. Most, but not all, of its members come from the CVE board. "Confusion resulting from the April 15, 2025 letter addressed to the CVE board has compelled us to plan for contingency with a sense of urgency to prevent disruptions to global cybersecurity defensive operations," the new group said in an April 16 statement.
That's a lot sooner than they had hoped. "We did not have this set up to pull the trigger at this point in time," Allor said. But so far, the response has been surprisingly swift and positive.
In less than a week's time since announcing the foundation, "the interesting part is the amount of people, organizations, governments, reaching out, [saying] 'We want to help. Can we donate?' It actually took our breath away," he added. Allor declined to name the governments or the organizations that pledged funding, but added the governments are "not in North America.
" We have to stop looking at it like a pond. Look at it like an ocean There's a place for everyone at this new CVE Foundation table, according to Allor: MITRE, CISA, private industry folks, and governments. "This should be global," he said.
"We have to stop looking at it like a pond. Look at it like an ocean." CISA declined to answer questions for this story, including if the agency would be willing to let the foundation be the new " long-term home " for the CVE program.
A CISA spokesperson directed The Register to an April 23 statement from Matt Hartman, CISA acting executive assistant director for cybersecurity, that says, in part: There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure. And continues: We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program. We also recognize that significant work lies ahead.
CISA, in coordination with MITRE and the CVE board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. The CVE Foundation, in a subsequent statement, noted that its members "stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program." Other initiatives have successfully moved from the US government to a publicly managed service, according to the foundation: "DARPA turning the ARPANET into the internet, IANA managing protocol assignments, and ICANN managing internet names and addresses, which all started with the government being the single source of funding.
" The CVE program can and should follow these examples, the foundation believes, and move "from a single-funding stream to a diversified funding model, which we believe will only strengthen the program and enable a stable, durable, internationally trusted program that works for the good of global consumers and organizations," the statement continues. "This is not a coup," said Landfield, who is also a member of the CVE Foundation. "These are people who have been in this program for 26 years, in some cases, and so we want to work to make this better.
These are passionate individuals that really do want this to succeed more than anything else on the planet." Some members of the CVE Foundation met CISA on Thursday. "The talks were positive and encouraging," the foundation said in a statement.
"All parties wish to keep the conversation and progress moving forward." ®.
