Behind the struggle for control of the CVE program | CyberScoop<\/title> <meta name=\"description\" content=\"Following a funding scare that nearly shuttered the CVE program, outside experts and CISA are positioning to take charge of the 25-year-old system before the next funding crisis hits.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-nvd-cisa-alternatives\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Behind the struggle for control of the CVE program\"> <meta property=\"og:description\" content=\"Following a funding scare that nearly shuttered the CVE program, outside experts and CISA are positioning to take charge of the 25-year-old system before the next funding crisis hits.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-nvd-cisa-alternatives\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-20T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-20T13:16:46+00:00\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1760439954g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86404\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86404\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcve-program-funding-crisis-nvd-cisa-alternatives%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcve-program-funding-crisis-nvd-cisa-alternatives%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86404 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-nvd-cisa-alternatives\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.387168141593\">\n<div class=\"single-article__header-content\" readability=\"34.713958810069\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-nvd-cisa-alternatives\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> Following a funding scare that nearly shuttered the CVE program, outside experts and CISA are positioning to take charge of the 25-year-old system before the next funding crisis hits. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86404\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg 5892w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program-1.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"143.60312002013\"><body readability=\"289.05938037866\"><\/p>\n<p>On April 16, less than a month after nonprofit R&D organization MITRE <a href=\"https:\/\/cyberscoop.com\/cve-program-history-mitre-nist-1999-2024\/\">celebrated<\/a> the 25<sup>th<\/sup> anniversary of the Common Vulnerability and Exposures (CVE) effort, the program narrowly <a href=\"https:\/\/www.csoonline.com\/article\/3963190\/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html\">escaped<\/a> a sudden demise when a last-minute, 11-month contract extension averted a shutdown. <\/p>\n<p>That near-miss put vulnerability experts and cybersecurity defenders on edge, most of whom still fear that this essential mechanism for detecting, tracking, and remediating software vulnerabilities could suddenly disappear overnight.<\/p>\n<p>Now, \u201cwe\u2019re still in the fragmented, visionary-picking-up-the-pieces phase here after the bomb was dropped in April, and this was the second year in a row, given that there was a bit of a funding crisis on the NVD\u201d in 2024, Brian Fox, co-founder and CTO of Sonatype, told CyberScoop. <\/p>\n<p>In early 2024, funding for a national vulnerability database, or NVD, maintained by the National Institute of Standards and Technology (NIST), dried up, and the organization <a href=\"https:\/\/cyberscoop.com\/plan-to-resuscitate-beleaguered-vulnerability-database-draws-criticism\/\">stopped providing<\/a> critical metadata for many vulnerabilities that organizations need to fix, an information shortage that has yet to be fully rectified.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>At stake is the future reliability and trustworthiness of a system that serves as the backbone for global software security. The CVE program is not just a technical database; it is the world\u2019s linchpin for coordinating how vulnerabilities are tracked, disclosed, and ultimately patched. <\/p>\n<p>Any disruption or uncertainty in the CVE program risks slowing down information sharing among defenders, undermining incident response, and granting attackers the upper hand. Control over the program therefore carries enormous influence \u2014 whichever organization is responsible will help set priorities, shape disclosure policies, and determine whether the system remains open, neutral, and effective, or slides into fragmentation, delay and confusion that could put crucial technology at risk. <\/p>\n<h4 class=\"wp-block-heading\" id=\"h-the-growing-ranks-of-cve-alternatives\"><strong>The growing ranks of CVE alternatives<\/strong><\/h4>\n<p>Not only did the funding scare rattle defenders, it also opened the door for a wave of alternative system providers eager to take advantage of the opportunity. After CVE\u2019s near-death experience, <a href=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-cve-foundation-mitre\/\">a host of new ideas<\/a> and methods for tracking security vulnerabilities sprang to life or gained greater prominence. <\/p>\n<p>Among these were the <a href=\"https:\/\/euvd.enisa.europa.eu\/faq\">EUVD<\/a>, or the European Union Vulnerability Database, organized by the European Union Agency for Cybersecurity (ENISA); the <a href=\"https:\/\/gcve.eu\/\">GCVE: Global CVE Allocation System<\/a>, developed by CIRCL.eu; the Computer Incident Response Center in Luxembourg, and <a href=\"https:\/\/www.thecvefoundation.org\/\">the CVE Foundation,<\/a> a U.S.-based nonprofit formed to support the CVE program.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>All these alternatives seem viable to many for the simple reason they are not dependent on the U.S. government as the sole funder.<\/p>\n<p>\u201cWe are at a point where what got the CVE program here is not going to get us to the next step,\u201d Jay Jacobs, founder of Empirical Security and chief data scientist emeritus and founder at Cyentia Institute, told CyberScoop. \u201cIt seems pretty clear that\u2019s the case.\u201d<\/p>\n<p>To that end, at least two other organizations have also thrown out new concepts for how CVE should be governed, and one of them is CISA itself. <\/p>\n<h4 class=\"wp-block-heading\" id=\"h-cisa-s-vision-for-a-new-cve-program\"><strong>CISA\u2019s vision for a new CVE program<\/strong><\/h4>\n<p>Amid mounting criticism and uncertainty, CISA has also pushed for a revamped CVE program. On Sept. 10, CISA published its \u201c<a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2025-09\/CISA_Common_Vulnerabilities_and_Exposures_CVE_Program_Vision-v6_CLEAN.pdf\">vision<\/a>\u201d for a new CVE program that contemplates several fundamental changes.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>One of these changes opens the CVE program to a broader array of participants than the current situation allows. \u201cCISA intends to leverage its partnerships to ensure better representation from international organizations and governments, academia, vulnerability tool providers, data consumers, security researchers, the operational technology industry, and the open-source community,\u201d according to CISA\u2019s paper outlining its new approach.<\/p>\n<p>The agency says it will also evaluate mechanisms for diversified funding and hopes to modernize CVE with more rapid implementation of automation and other capabilities. To achieve transparency, CISA says it wants to seek community feedback and open dialogue with global partners.<\/p>\n<p>Finally, CISA further plans to improve CVE record quality and will prioritize improvements in these areas appropriate to the unique roles that <a href=\"https:\/\/www.cve.org\/programorganization\/cnas\">certified number authorities<\/a> of last resort (<a href=\"https:\/\/www.cve.org\/resourcessupport\/allresources\/cnarules#section_2-4_CNA_LR_Operational_Rules\">CNA-LR<\/a>) play in the ecosystem.<\/p>\n<p>However, CISA has been dealing with massive funding cuts and <a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2025\/06\/cisa-projected-lose-third-its-workforce-under-trumps-2026-budget\/405726\/?ref=metacurity.com#:~:text=Cyber%20Defense-,CISA%20projected%20to%20lose%20a%20third%20of%20its%20workforce%20under,by%20Andrew%20Harnik\/Getty%20Images\">staff layoffs<\/a> since January, including <a href=\"https:\/\/www.metacurity.com\/the-white-house-fired-176-cisa-employees-on-friday-with-more-layoffs-feared\/\">the firing<\/a> of nearly 200 workers at the start of the government shutdown on Oct. 1. It is also a particular object of enmity for the director of the White House\u2019s Office of Management and Budget, Russell Vought, who, when he <a href=\"https:\/\/www.metacurity.com\/the-white-house-fired-176-cisa-employees-on-friday-with-more-layoffs-feared\/\">spearheaded Project 2025<\/a> for the Heritage Foundation, wanted to get rid of the agency altogether. Moreover, the White House nominee to lead CISA, Sean Plankey, has yet to be confirmed.<\/p>\n<p>The murky future of CISA has only elevated the calls by some vulnerability experts that the CVE program must quickly be removed from U.S. government control. One leading vulnerability scientist, who asked not to be named to speak freely on political issues, told CyberScoop that \u201cpeople are looking for solutions that involve more private sector and less government action. This was true with the drama earlier this year, and is only intensifying with the layoffs at CISA, and now the shutdown.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Fox is another skeptic who questions whether CISA is a trustworthy vehicle to govern the CVE program, referencing a report where a whole bunch of security researchers from CISA were pulled \u201c<a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-10-08\/homeland-security-cyber-personnel-reassigned-to-jobs-in-trump-s-deportation-push?ref=metacurity.com\">to focus on immigration<\/a> or something like that.\u201d <\/p>\n<p>Not all experts agree that CISA should be eased out of a governing role over the CVE program. Nicholas Leiserson, senior vice president for policy at the Institute for Security and Technology (IST), said during a recent cybersecurity conference that \u201cwe\u2019ve heard public commitments from CISA that they\u2019re going to continue to support the program, and that\u2019s good.\u201d<\/p>\n<p>\u201cI think there\u2019s still an opportunity for the US government to play, and they should be playing a vital role in funding this,\u201d Mitchel Herckis, global head of government affairs at Wiz, told CyberScoop.<\/p>\n<p>As for the experts running the alternatives, they say that CISA has not reached out to them to discuss the ambitious changes it outlined in the agency\u2019s vision. \u201cTalking with a lot of people in the vulnerability management ecosystem, in which I participate, and talking to other nonprofits and people who are very much associated with this, CISA has not contacted them,\u201d Pete Allor, chairman of the CVE Foundation, told CyberScoop.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-global-vulnerability-catalog\"><strong>Global Vulnerability Catalog<\/strong><\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While CISA outlines one path forward, think tanks and policy groups are sketching out others, most notably, a proposal from IST that would globalize the vulnerability naming model.<\/p>\n<p>On Oct. 8, IST released a <a href=\"https:\/\/securityandtechnology.org\/virtual-library\/report\/cve-at-a-crossroads\/\">position paper<\/a> that serves as a \u201cblueprint\u201d for the next 25 years of the program. This document, of which IST\u2019s Leiserson is a lead author, advocates creating a Global Vulnerability Catalog or GVC that, like CVE, relies on unique identifiers for maintaining and providing access to a catalog of actionable cybersecurity vulnerabilities.<\/p>\n<p>The blueprint envisions that the GVC will start with the CVE program and build from there, with an expanded pool of board members, a diverse array of funding mechanisms, and the U.S. government, including the White House\u2019s Office of the National Cyber Director, providing governance.<\/p>\n<p>Leiserson stresses that diversity of funding is key under the GVC model. \u201cDiversity is the most important thing, and that\u2019s diversity from other governments,\u201d he told CyberScoop. \u201cIt\u2019s diversity from a diverse pool of industry. It\u2019s diversity from philanthropy and other foundations, but diversity is critical and is core to our thesis.\u201d<\/p>\n<p>And yet he points to one of the biggest risks in having multiple governments participating in the GVC program, which is fragmentation. \u201cThe advantage of a global vulnerability catalog is that it\u2019s singular,\u201d he said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cYou need one of those, and you lose almost all of the utility out of it once you start seeing fragmentation,\u201d he added. \u201cAnd the greatest risk from fragmentation is from governments. If you don\u2019t have strong governmental buy-in, and that means as part of the governance and as part of the funding stream, you\u2019re going to run into problems.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-cve-foundation\"><strong>CVE Foundation<\/strong><\/h4>\n<p>The CVE Foundation offers one of the most visible alternatives to the current system. It began advocating to replace the CISA-MITRE model as the brief funding crisis got underway in March. <\/p>\n<p>Unlike some vulnerability experts, who call for transition periods of at least a year, Allor thinks it would be relatively easy to transition the current CVE system from CISA and MITRE to his nonprofit model. \u201cCVE is just a namespace,\u201d meaning that it\u2019s just a set of unique identifiers, he told CyberScoop. \u201cSo if the United States government, through CISA, is basing a strategy on CVE, then I think they need to seek other employment.\u201d<\/p>\n<p>Allor would like to see governments participate in the foundation, but not play a governance role, which is a difficult needle to thread. \u201cThe problem for governments is they like to say, \u2018Well, I came in with money and I get the vote and all that,\u201d he said. \u201cGuess what? You\u2019re just somebody who helps contribute dollars. That doesn\u2019t give you a veto or an override for everyone else.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Allor says he is very close to being able to transition CVE to the foundation, with \u201cone financial backer right now who\u2019s asking us to come forward with another backer publicly,\u201d he told CyberScoop. \u201cI think then you\u2019ll have some national governments and a regional government body, and a whole bunch of other private-sector backers that will come forward.\u201d <\/p>\n<p>Allor predicts these backers will go public within weeks, not months.<\/p>\n<p>Disputes remain about how much CISA currently invests in the program. Some sources say it\u2019s $60 million per year, while other sources say it\u2019s closer to $25 million. Allor says the foundation is working off a budget that is in the \u201clow eight-figure\u201d range.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-time-is-of-the-essence\"><strong>Time is of the essence<\/strong><\/h4>\n<p>Whether any of these competing models win out remains uncertain, but time is running short before the next funding cliff arrives.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Allor says that the 11-month extension keeping the CVE program afloat expires March 6, 2026, so CISA must act quickly to avoid another funding crisis \u2014 a scenario that\u2019s unlikely given the agency\u2019s current level of disarray and the broader government shutdown turmoil. <\/p>\n<p>Alternatively, one of the competing models, such as the GVC or the CVE foundation, needs to act quickly to avoid a CVE disaster. Yet several experts say the world will not end if CISA fails to provide continuity in the CVE program and a temporary lapse ensues.<\/p>\n<p>\u201cIn the case where that happens and the CVE program ceases to be a priority for the U.S. government, third parties will pick it up, whether that\u2019s our friends in Europe or a consortium like the CVE Foundation comes together,\u201d Ben Edwards, principal research scientist at Bitsight, told CyberScoop.<\/p>\n<p>\u201cAnd it\u2019s nice that the frameworks, the infrastructure for the most part, are open,\u201d he added. \u201cYou can go download the CVE frameworks. A lot of the stuff that MITRE does to run in the background is available through the CVE program. I don\u2019t see it as impossible for another organization to take over that governance.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.8294701986755\">\n<div class=\"author-card\" readability=\"10\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/behind-the-struggle-for-control-of-the-cve-program.png?w=640&ssl=1\" alt=\"Cynthia Brumfield\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Cynthia Brumfield<\/h4>\n<p> Cynthia Brumfield is a veteran communications and technology analyst who is now focused on<br \/>\ncybersecurity. She runs a cybersecurity news and information site, Metacurity.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cve-program-funding-crisis-nvd-cisa-alternatives\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Behind the struggle for control of the CVE program |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1765,4157,78,452,117,3303,927,256],"tags":[1770,4158,86,454,119,3304,929,262],"class_list":["post-8089","post","type-post","status-publish","format-standard","hentry","category-cve","category-cve-foundation","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-government","category-mitre","category-nist","category-research","tag-cve","tag-cve-foundation","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-government","tag-mitre","tag-nist","tag-research"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve\/\" rel=\"category tag\">CVE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve-foundation\/\" rel=\"category tag\">CVE Foundation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mitre\/\" rel=\"category tag\">MITRE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nist\/\" rel=\"category tag\">NIST<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a>","tag_info":"Research","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8089"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8089\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8089,"date":"2025-10-20T08:00:00","date_gmt":"2025-10-20T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86404"},"modified":"2025-10-20T08:00:00","modified_gmt":"2025-10-20T13:00:00","slug":"behind-the-struggle-for-control-of-the-cve-program","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/20\/behind-the-struggle-for-control-of-the-cve-program\/","title":{"rendered":"Behind the struggle for control of the CVE program"},"content":{"rendered":"