It has been quite a wild week in the land of CVEs.
On Tuesday, MITRE, the company that administers the CVE program, said that the contract MITRE has with the Department of Homeland Security for the program would run out on April 16, throwing the future of the system into doubt and sending tremors of uncertainty through the security community. As security vendors, researchers, and corporate security teams scrambled to understand the potential consequences of the loss of funding for the CVE program, the Cybersecurity and Infrastructure Security Agency announced late Tuesday night that it had exercised an option to extend the contract through March, stabilizing the situation for the time being.
“The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” CISA said in a statement.
But the day of uncertainty about the fate of the CVE system revealed a fragility in a critical piece of the industry’s scaffolding. A vacuum in this spaces showed how quickly vulnerability management could have gone sideways (and still may).
The CVE system is a bit of an odd duck. It’s an outgrowth of the late 1990s vulnerability research culture, a time when independent researchers and groups such as L0pht and w00w00 were finding bugs and (sometimes) reporting them to vendors, who often either ignored them or were actively hostile toward the researchers. At the same time, there was no one agreed-upon naming convention for vulnerabilities, which made bug descriptions difficult, and there wasn’t a central repository for vulnerability information, either. Most of that information lived on mailing lists that could be taken offline at any time and none was an authoritative source of truth. So when the CVE program was established in 1999 at MITRE, a non-profit research organization, it was envisioned as a way to solve those problems and bring some order to a chaotic situation.
In the 26 years since, the CVE ecosystem has seen massive growth in terms of both scope and importance. While MITRE was once the only CVE numbering authority, there are now more than 450 CNAs around the world and there were more than 40,000 CVEs assigned in 2024 alone. It’s a highly complex and interdependent system and large portions of the security industry rely on it every day. It makes the work that people do with tools such as Censys more effective and efficient. All of this is supported by a single MITRE contract with DHS, something that has been widely known in the security community but that much of the outside world discovered this week.
It’s unclear what exactly would have happened if the MITRE contract had actually expired, but we’ve already gotten a small glimpse of one potential future. On Wednesday, two new CVE-style efforts emerged: the CVE Foundation and the Global CVE Allocation System. The CVE Foundation is the work of several existing CVE Program board members, while the GCVE is a new, European-based effort. Distributing the responsibility for managing CVEs could be a positive thing, but having multiple competing efforts could also lead to confusion and miscommunication.
The contract extension for MITRE’s CVE program ensures some short-term stability for the ecosystem, but the CVE system may well look quite different in the not-too-distant future.
