CVE Foundation Launches Amid MITRE Funding Crisis and Trust Questions

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The Common Vulnerabilities and Exposures (CVE) program, a cornerstone of global cybersecurity infrastructure for over 25 years, faces an uncertain future following MITRE Corporation's warning on April 15, 2025 that federal funding for the program was set to expire. In response, a group of CVE Board members announced the formation of the CVE Foundation on April 16, 2025, positioning the new nonprofit as a potential steward for the vulnerability tracking system.

The funding crisis affects every organization that relies on CVE identifiers to track and communicate about security vulnerabilities. Software vendors, security researchers, enterprise IT teams, and government agencies worldwide use CVE numbers as the standard reference system for discussing specific vulnerabilities. Without continued operation, the security community would lose its primary mechanism for coordinating vulnerability disclosure and remediation.

MITRE has operated the CVE program since 1999 under contract with the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The organization warned that without renewed funding, the program would face "deterioration" of services. The CVE Foundation's announcement came within 24 hours of MITRE's public warning, suggesting that contingency planning had been underway before the funding crisis became public.

Security researchers have begun questioning whether the CVE system's governance model remains appropriate for critical global infrastructure. The program's dependence on a single government contract and the rapid emergence of an alternative governance structure have prompted broader discussions about trust, transparency, and the sustainability of security infrastructure that the entire industry depends upon.

On April 15, 2025, MITRE Corporation issued a public statement warning that its contract to operate the CVE program was expiring and that federal funding had not been renewed. The organization stated that without continued support, the CVE program would experience service degradation.

MITRE's statement indicated that the contract with CISA was set to expire, though the organization did not specify an exact date. The warning prompted immediate concern across the cybersecurity community, given the CVE program's role as the de facto standard for vulnerability identification.

On April 16, 2025, a group identifying themselves as CVE Board members announced the formation of the CVE Foundation. The foundation's website stated that the organization was established to "ensure the long-term viability, stability, and independence of the CVE Program." The announcement indicated that planning for the foundation had been underway for some time, predating the public funding crisis.

The CVE Foundation's founding statement emphasized the need for the CVE program to operate independently of any single government or organization. The foundation positioned itself as a neutral steward that could maintain the program's integrity regardless of changes in government funding or priorities.

By April 19, 2025, security researchers had begun publishing analyses questioning the CVE system's trustworthiness. Open Source Security published an article titled "Can We Trust CVE?" examining the governance implications of the funding crisis and the rapid emergence of the CVE Foundation.

Figure 2: How the authentication bypass vulnerability works

MITRE's public statement claimed that the CVE program would face "deterioration" without renewed federal funding. The organization did not specify what form this deterioration would take or provide a timeline for service impacts.

The CVE Foundation claimed that its formation was the result of "over a year of planning" by CVE Board members. The foundation's website stated that the organization was incorporated as a 501(c)(3) nonprofit, though documentation of this status was not immediately available for verification.

The foundation's announcement stated that the CVE program processes over 40,000 vulnerability records annually. The organization claimed that the program serves as "critical infrastructure" for the global cybersecurity ecosystem.

Security researchers at Open Source Security raised questions about the CVE program's historical governance. Their analysis noted that the program's reliance on a single government contract created a single point of failure for global security infrastructure.

The CVE Foundation's founding members were identified as current or former CVE Board members, though the foundation's website did not provide a complete list of founders or their affiliations.

The CVE Foundation's emergence offers a potential path toward more sustainable governance for the CVE program. A nonprofit structure could diversify funding sources beyond a single government contract, reducing vulnerability to political or budgetary changes.

Independent governance could increase international participation in the CVE program. Organizations outside the United States have historically expressed concerns about the program's dependence on U.S. government funding and oversight.

The funding crisis has prompted public discussion about the CVE program's importance, potentially increasing awareness among organizations that benefit from the system but have not contributed to its operation.

A foundation model could enable the CVE program to accept contributions from technology companies, security vendors, and other organizations that rely on CVE identifiers. Diversified funding could improve the program's long-term stability.

Figure 3: Privilege escalation from user to SYSTEM level

The rapid formation of the CVE Foundation raises governance questions. The organization emerged within 24 hours of MITRE's public warning, with limited transparency about its structure, funding, or decision-making processes.

The transition from government-funded operation to nonprofit governance introduces uncertainty. Organizations that have built processes around CVE identifiers face potential disruption if the transition is not managed smoothly.

The CVE Foundation's claim of "over a year of planning" suggests that CVE Board members were aware of potential funding issues before the public announcement. The timing and transparency of this planning process have not been fully explained.

Security researchers have noted that the CVE program already faces criticism for inconsistent quality and delays in assigning identifiers. A governance transition could exacerbate these existing challenges.

The foundation's funding model remains unclear. Without transparent information about financial sustainability, organizations cannot assess whether the CVE Foundation represents a viable long-term solution.

The CVE program assigns unique identifiers to publicly disclosed cybersecurity vulnerabilities. Each CVE identifier follows a standardized format: CVE-YEAR-NUMBER, where YEAR indicates when the identifier was assigned and NUMBER is a sequential identifier.

CVE identifiers serve as a common reference point for discussing specific vulnerabilities across organizations, tools, and databases. When a security researcher discovers a vulnerability, they can request a CVE identifier through MITRE or one of the program's CVE Numbering Authorities (CNAs).

CNAs are organizations authorized to assign CVE identifiers within their scope. Major technology companies including Microsoft, Google, and Apple operate as CNAs for vulnerabilities in their products. The CNA structure distributes the workload of CVE assignment across hundreds of organizations.

The CVE program maintains a database of vulnerability records that includes basic information about each vulnerability: a description, affected products, and references to additional information. Security tools and vulnerability databases use CVE identifiers to correlate information from multiple sources.

Technical context (optional): The CVE program does not assess vulnerability severity or provide remediation guidance. Severity scoring is handled by the National Vulnerability Database (NVD), which is operated separately by the National Institute of Standards and Technology (NIST). The CVE and NVD programs are related but distinct, with different funding and governance structures.

The CVE funding crisis exposes the fragility of security infrastructure that the industry treats as a public good. Organizations worldwide depend on CVE identifiers without contributing to the program's operation or governance.

The situation parallels other cases where critical open source or community infrastructure has faced sustainability challenges. The OpenSSL Heartbleed vulnerability in 2014 revealed that widely-used security software was maintained by a small team with minimal funding.

Government funding for cybersecurity infrastructure faces competing priorities. The CVE program's funding uncertainty reflects broader questions about how critical security infrastructure should be funded and governed.

The CVE Foundation's emergence could establish a precedent for transitioning government-funded security programs to nonprofit governance. Other programs facing similar funding challenges may look to the CVE transition as a model.

International organizations may use this moment to advocate for more globally representative governance of vulnerability tracking infrastructure. The CVE program's historical dependence on U.S. government funding has been a point of concern for non-U.S. stakeholders.

Confirmed:

• MITRE issued a public warning on April 15, 2025 about CVE program funding expiration
• The CVE Foundation was announced on April 16, 2025 by CVE Board members
• The foundation claims to have been planning for over a year
• The CVE program processes over 40,000 vulnerability records annually

Unclear:

• The exact timeline for MITRE's contract expiration
• Whether CISA or other government agencies will provide continued funding
• The CVE Foundation's complete governance structure and founding members
• The foundation's funding sources and financial sustainability plan
• How the transition from MITRE to foundation governance would be managed
• Whether the CVE Foundation has legal authority to operate the CVE program

CISA's response to the funding crisis will indicate whether government support for the CVE program will continue. Official statements from the agency have not been issued as of April 19, 2025.

The CVE Foundation's disclosure of governance documents, funding sources, and operational plans will provide clarity about the organization's viability. Transparency about these details will influence community trust in the foundation.

Major technology companies' responses to the CVE Foundation will signal industry support for the new governance model. Statements or financial commitments from companies that operate as CNAs would indicate confidence in the foundation's approach.

The CVE program's operational continuity in the coming weeks will demonstrate whether the funding crisis has immediate practical impacts. Any delays in CVE assignment or database updates would affect security operations globally.

Security researchers and industry analysts will continue examining the governance implications of the transition. Additional analysis of the CVE Foundation's structure and the circumstances of its formation will inform community assessment of the organization.

1. The Verge - "The CVE program for tracking security flaws is about to lose federal funding" (April 15, 2025) https://www.theverge.com/news/649314/cve-mitre-funding-vulnerabilities-exposures-funding

2. SecurityWeek - "Mitre Signals Potential CVE Program Deterioration as US Gov Funding Expires" (April 15, 2025) https://www.securityweek.com/mitre-signals-potential-cve-program-deterioration-as-us-gov-funding-expires/

3. CVE Foundation - Official Website (April 16, 2025) https://www.thecvefoundation.org/home

4. Open Source Security - "Can We Trust CVE?" (April 19, 2025) https://opensourcesecurity.io/2025/04-can-we-trust-cve/