A nonprofit organization run by board members of MITRE’s Common Vulnerabilities and Exposures Program is searching for alternative funding models for the widely used software security resource, amid concerns over CISA’s long-term ability to provide financial support.
“The reality is that the problem is not solved. We still have one organization that is funding the entire program when we’ve had other organizations ask us how they can help us funding-wise,” Kent Landfield, a vulnerability disclosure leader and longtime industry cyber expert, told Inside Cybersecurity.
Landfield has been a board member of MITRE’s CVE Program, which maintains a database of vulnerability information used by software developers and cyber defenders worldwide, since the library launched in 1999. He is also an officer of the CVE Foundation, which went public on April 16 to explore long-term funding solutions and improve the governance structure for the crucial cyber service.
Funding provided by CISA for operating the CVE library nearly lapsed on April 16, with MITRE announcing on April 15 that it planned to end support for the library the following day based on the expiration of a contract with the government.
CISA “executed the option period on the contract” just hours prior to its expiration “to ensure there will be no lapse in critical CVE services,” according to an April 16 statement from the agency. Funding for the library was extended for 11 months under the option.
The CVE Foundation responded to the MITRE program’s close brush with death by publicly calling for the exploration of sustainable funding models that do not rely solely on the U.S. government. The foundation’s first press release on April 16 said its work would be aimed at “eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative.”
The foundation is not presenting new ideas, Landfield said, and has technically existed for some time. He explained, “Last summer, we started to get serious because we were having issues with the program and our concerns of a single-funder model, and because of that, we actually put a 501(c)(3) in place in the state of Washington.”
Landfield said the near-miss of the funding lapse “caused us to have to come forward a bit earlier than we had anticipated, and so now we’re reacting to try to deal with that situation.”
“Our intent is for a nonprofit to act as a mechanism for stabilizing CVE,” according to Landfield. “What we’re trying to accomplish is to provide a means for not only stable funding, but much more participation within the program itself, from the standpoint of trying to ensure that the program has the right kind of engagement internationally.”
CISA followed up on concerns from the software community with an April 23 statement from Matt Hartman, the agency’s acting executive assistant director for cybersecurity, citing a “contract administration issue” as the cause of the near-lapse, rather than a “funding issue.” Hartman said, “There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.”
Hartman added, “CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program.”
Landfield, however, said he does not see a CISA-owned program as a viable pathway to ensuring CVE functionality in the long term.
He said, “An 11-month extension isn’t a long-term solution, and right now there are serious concerns over CISA and its organizational funding.”
The CVE catalog is “a program that really does need to take the next step -- really does need to thrive and not just survive,” according to Landfield.
He said the library is “globally beneficial for all, and we do not believe that the current situation has really changed much, other than that we have a little more runway to make sure now we can do it in a more proper fashion.”
Looking ahead, Landfield said the foundation intends to pursue an “expanded” governance structure for the CVE catalog, with the goal of giving a voice to the broader software community around the world.
“Cybersecurity is not a nationalistic issue. Vulnerabilities cross boundaries all the time,” Landfield said. “Cybersecurity is a global problem, and as such, CVE has become a global standard for operational vulnerability management defenders.”
In an April 23 release, the foundation said it was exploring the option of turning the CVE library into a “publicly managed service.”
There are “countless examples” of services transitioning from the U.S. government to broader public initiatives, the release says, including “DARPA turning the ARPANET into the Internet, IANA managing protocol assignments, and ICANN managing Internet names and addresses, which all started with the government being the single source of funding.”
The release says, “In this same tradition, the CVE Foundation aims to support the transition of the CVE Program from a single-funding stream to a diversified funding model, which we believe will only strengthen the program and enable a stable, durable, internationally trusted program that works for the good of global consumers and organizations.”
An April 25 release from the foundation offers a preliminary update on talks with CISA.
It says, “Representatives from the CVE Foundation met with representatives from CISA on 4/24/2025. The talks were positive and encouraging. All parties wish to keep the conversation and progress moving forward.” -- Jacob Livesay (jlivesay@iwpnews.com)