CVE Marches On

|
Updated

Good news, everyone!

I just dropped off the regularly scheduled CVE Board meeting (which I often go to, seeing as how I’m on the CVE Board), and wanted to share a quick update with all my infosec friends on the state of the CVE program, from my own point of view as a CVE Board member (and not speaking on behalf of the CVE Board). TL;DR: CVE continues to CVE, without an interruption in funding.

To recap:

Yesterday, on April 15, 2025 (does US Tax Day make this ironic?), Yosry Barsoum of the MITRE Corporation informed the CVE Board that there was a potential risk to the continued operation of the CVE program, with scary phrases like “will expire” and “break in service.”

This communication to the CVE Board leaked almost immediately — I didn’t see it in my email until I heard about it in about a dozen Signal chats I’m in.

Cue a day of widespread hand-wringing for most vulnerability intelligence professionals and hobbyists. But today, April 16, 2025, news attributed to CISA indicated they had found a solution late last night. From what I understand, CISA “executed the option period” on the contracting with MITRE, which means that CISA will continue to fund MITRE for CVE services for the next eleven months, give or take.

At the CVE Board meeting, we spent most of the time there with representatives from CISA (the funding organization of CVE) and MITRE (the operators of CVE). I won’t get into the weeds, but I will say that both organizations reassured the CVE Board multiple times and in as much clarity as humanly possible, that the CVE program will continue unabated.

Of course, while CVEs do not encompass the full scope of network security issues, I think we can all agree that they are still a critical component to track as part of a robust security program. Over the last 25 years, the CVE program has evolved into a critical, shared, and global resource that ultimately helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue. (That said, if you want to dive into all of the other non-CVE exposures that we here at runZero think are equally important to detect and prioritize, we encourage you to watch our webcast with Omdia, now available on demand).

I look forward to continuing my side-gig as a CVE Board member and remain passionate about improving the CVE program to better serve the needs of the world's IT heroes — capes or no capes.

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. He's also a founder and CNA point of contact for AHA!. He spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. He is also CVE Board member, a Travis County Election Judge in Texas, and an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Discover the new era of exposure management!