Last-Minute Save: Government Extends CVE Funding as New Foundation Forms

A Temporary Reprieve – CISA Steps In

‍

The immediate crisis around the Common Vulnerabilities and Exposures (CVE) database has been averted – for now.

Late last night, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) executed an emergency contract extension to ensure no lapse in CVE services. In fact, officials waited until practically the eleventh hour: the funding was due to run out on April 16, and just hours before the deadline, CISA exercised an option to extend the contract. The move guarantees that MITRE, the non-profit operator of the CVE program, can continue its work past the original cutoff date without shutting anything down.

CISA acknowledged the gravity of the situation in a statement, calling the CVE program “invaluable to the cyber community and a priority.” The agency’s spokesperson emphasized that they moved swiftly to prevent any disruption, saying in effect: We couldn’t let the lights turn off on CVE. 

This last-minute action speaks volumes – it’s clear that once the threat of losing CVE became widely known, the government recognized it had to act. However, the fact that it came down to a nail-biting deadline has left many in the cybersecurity world both relieved and exasperated. Several members of the CVE Board have expressed their disappointment, both publicly and privately, on the lack of transparency until the last 24 hours. 

Relieved, because the alternative – an abrupt end to vulnerability tracking – would have been calamitous. Thanks to this intervention, We won’t see an immediate blackout of the vulnerability database this week. Security teams worldwide breathed a sigh of relief, knowing that new CVE IDs will continue to be issued, and the feeds and websites will stay online. For all intents and purposes, business as usual can resume in the short term.

Exasperated, because it should never have gotten this close to disaster in the first place. The funding extension, while welcome, is a stopgap measure. It doesn’t resolve the underlying issue that led to the brinkmanship. It’s like slapping duct tape on a leaky dam – we’ve bought ourselves time, but the fundamental cracks still need fixing. Cybersecurity professionals and industry leaders are asking: what happens when this extended period runs out? Will we be back in the same position in a few months? The lack of a long-term plan is unsettling, and it highlights a glaring problem in how we fund and manage critical cyber infrastructure.

‍

Enter the CVE Foundation – A Bid for Stability

‍

One promising development amid the chaos is the announcement of a new CVE Foundation. Even before CISA’s extension was confirmed, a coalition of longtime CVE Board members had sprung into action. On the morning of April 16, they formally launched the CVE Foundation, a non-profit organization dedicated to ensuring the long-term viability and independence of the CVE program.

Why a new foundation? The people who know CVE best – including representatives from major tech companies, security firms, and international partners on the CVE Board – have harbored concerns for years about the program’s sole dependence on U.S. government funding. The sudden funding scare validated those worries in the starkest way possible. 

In a press release, the foundation’s organizers noted that while government support helped CVE grow, it also created a single point of failure. Tying a globally critical resource to the fortunes of a single agency or political cycle was a recipe for instability. The CVE Foundation aims to fix that by transitioning the program to an independent footing, supported by a broader community of stakeholders.

The vision for the foundation is to diversify funding and governance of the CVE system. This could mean seeking support not just from the U.S. government, but also from international governments, private industry, and the cybersecurity community at large. Essentially, the people launching the foundation want to make sure that no single budget decision or bureaucratic hiccup can jeopardize the entire vulnerability ecosystem again. They’ve been quietly working on this plan for over a year (a sign that the writing was on the wall), and now they’ve hit the Go button.

It’s important to note that the foundation’s creation doesn’t instantly solve everything. Many questions are on the table: How exactly will the CVE Program transition from MITRE’s stewardship into this foundation’s control (if that’s the path)? Who will fund the foundation, and will it have enough resources to run such a vital operation? How will it maintain the trust and participation of the hundreds of organizations that contribute to and use CVE? The foundation’s backers have promised more details in the coming days and an open invitation for the broader community to get involved. In other words, the blueprint is being drawn, but the construction is just beginning.

This shift wasn’t a surprise—it has been thoroughly anticipated and strategically planned over several years. The cybersecurity community, often quietly, has invested substantial time and effort to make the CVE Foundation a reality. Many dedicated individuals, both publicly visible and behind the scenes, have endured skepticism and critique while steadily preparing for this vital evolution.

This proactive groundwork is now paying off, transforming a potential crisis into an opportunity for meaningful improvement. As the CVE Foundation moves forward, this collective effort deserves recognition and continued support from both public and private sectors.

‍

A Two-Pronged Path Forward – Caution and Optimism

‍

Right now, we have a dual-track situation: the U.S. government (through CISA) has put a temporary safety net under CVE, and concurrently, industry and community leaders are building a new safety net of their own in the form of the CVE Foundation. This is cause for cautious optimism. It means there is widespread recognition of CVE’s importance and multiple parties are willing to step up to keep it going.

The emergence of the CVE Foundation, especially, is being met with applause across the cybersecurity field. Many experts view it as a necessary evolution. The internet and the software industry are global, and vulnerabilities affect everyone, so having a single nation’s budget determine the fate of the vulnerability database always felt risky. A more independent CVE could be more resilient and even more neutral, which matters for getting international buy-in. (It’s not lost on observers that Europe has also been moving in this direction – the EU’s cybersecurity agency recently launched its own European vulnerability database initiative, likely inspired partly by the need for redundancy in case CVE falters.)

However, serious challenges remain. The stopgap funding removes the immediate sword of Damocles, but we don’t know for how long. If bureaucratic red tape or political wrangling delayed the contract once, it could happen again when this extension period ends. And while the foundation is a great idea, it’s brand new. It will take time to organize and ramp up, and it may encounter hurdles in raising funds. In the interim, everyone is counting on MITRE and CISA to keep the ship steady.

‍

Lessons Learned

‍

This episode, dramatic as it was, carries important lessons. Firstly, it highlights how reactive our approach to cybersecurity infrastructure can be. It took a very public near-disaster to spur action that, in hindsight, should have happened proactively. 

Secondly, it underlines the need for broader support and awareness. The CVE Foundation’s core premise is correct: something so globally important shouldn’t live or die by a single source of funding. The community as a whole – from big tech companies that embed CVE info into their products, to international bodies – needs to invest in it. We’re already seeing positive momentum in that direction, but it will require persistence.

For now, crisis is averted. The CVE ticker will keep counting new vulnerabilities each day, and the registries and feeds will keep us all informed of what needs fixing in our digital lives. But the work is far from done. The stopgap measures must transform into a sustainable solution. The next time we write about CVE in a headline, hopefully it will be about a successful transition or a robust new funding model – not another cliffhanger.

The takeaway: we can’t ever take CVE for granted again. This incident woke everyone up to how much is at stake. It’s encouraging to see both government and private-sector leaders responding with urgency and innovation. If they follow through, the CVE program could emerge from this turmoil stronger than before – with a stable foundation (literally) and a global support network behind it.

‍