The cybersecurity community has taken a significant step to ensure the enduring stability and independence of the Common Vulnerabilities and Exposures (CVE) Program with the establishment of the CVE Foundation. This newly formed non-profit organization is dedicated to maintaining the CVE Program as a globally trusted resource for identifying and cataloging software vulnerabilities.
For 25 years, the CVE Program has been instrumental in standardizing the identification of cybersecurity vulnerabilities. Managed by MITRE and funded by the U.S. Department of Homeland Security (DHS), the program has provided unique identifiers and an open database that enable security teams, vendors, and governments worldwide to coordinate responses to emerging cyber threats. This coordination is crucial for maintaining the security of the digital ecosystem.
However, the program faced uncertainty when MITRE announced that its contract with DHS would expire on April 16, 2025, without a renewal in place. This development raised concerns about potential disruptions in vulnerability tracking and coordination, which could have severe implications for national vulnerability databases, security advisories, and incident response operations.
In response to this challenge, a coalition of veteran CVE Board members and stakeholders worked diligently over the past year to establish the CVE Foundation. This independent, non-profit entity is dedicated solely to the stewardship of the CVE Program, ensuring that it remains a globally trusted, community-driven resource, free from reliance on a single government sponsor.
Kent Landfield, an officer of the new Foundation, emphasized the importance of this initiative:
CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself. Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.
The formation of the CVE Foundation addresses longstanding concerns about the program’s sustainability and neutrality. By transitioning governance to a dedicated non-profit, the Foundation seeks to eliminate the risk of a single point of failure and reflect the truly international nature of today’s threat landscape.
Security experts and vendors have widely welcomed the move, with many pledging support and resources to ensure a smooth transition. In the coming days, the CVE Foundation will release further details about its organizational structure, transition planning, and opportunities for involvement from the broader cybersecurity community.
As the CVE Program enters this new chapter, the Foundation’s mission is clear: to preserve the integrity, availability, and quality of vulnerability data for defenders worldwide, ensuring that the digital world remains resilient in the face of evolving threats.
The launch of the CVE Foundation marks not just the preservation of a critical resource, but a recommitment to global collaboration and innovation in cybersecurity vulnerability management.
