Safeguard the CVE Program

Safeguard the CVE Program Through Independent, Multi-Stakeholder Governance The Common Vulnerabilities and Exposures (CVE) Program, which is a vital public infrastructure for global cybersecurity, is at risk. CVE provides a standardized, publicly accessible ID system for software vulnerabilities (i.e. computer bugs), used every day by governments, businesses, and defenders worldwide. Without CVEs, there’s no shared language for coordinating vulnerability disclosures, patches, and threat intelligence. I.e fixing bugs. But CVE’s future is dangerously fragile. On April 15, 2025, the Department of Homeland Security let contract negotiations with MITRE collapse (see: https://www.bleepingcomputer.com/news/security/mitre-warns-that-funding-for-critical-cve-program-expires-today/). MITRE is the current and sole operator of CVE. Just 12 hours later, CISA exercised an emergency option (see: https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensure-no-lapse-in-critical-cve-services/) to keep the lights on for 11 more months. The panic that followed in the cybersecurity community was well-founded: without sustained financial, technical, and administrative support, CVE could grind to a halt (see: https://www.forbes.com/sites/davidchou/2025/04/16/cios-face-unrealistic-expectations-as-cve-program-faces-uncertainty/). New vulnerability IDs would stop. The public database could go offline. The ripple effects would be global. That means all modern cyber security scanning tools stop working and cyber defense stops for everyone, globally. This isn’t just a technical problem. It’s a governance failure. Right now, CVE relies entirely on a single federal contract, subject to Executive Branch whim. In an era of political instability and demonstrated hostility to independent public-interest programs -- USAID, NOAA, NEH, FDA, and many more -- that is an unacceptable risk. **Congress must act now, not just to fund CVE for another year, but to ensure its long-term independence.** We urge Congress to support the creation of a sustainable, multi-stakeholder model for CVE, similar to how the early internet transitioned from DARPA control to nonprofit stewardship of domain names and IP addresses. This means: - Supporting a **nonpartisan, public-benefit organization** or consortium to oversee CVE operations, ownership, and management. - Diversifying funding sources beyond a single federal (USG) contract, including public-private partnerships. - Enshrining transparency, openness, and technical integrity as foundational principles. CVE is the Rosetta Stone of cybersecurity risk. We cannot allow it to be a political hostage. Please support efforts to modernize its governance and funding and protect this essential global resource from disruption or capture.