🗓️ Live on June 17: The New Rules of Risk: EPSS v5 & Agentic Adversaries Register
runZero CAASM

CVE Marches On

todb
|
Updated

Good news, everyone!

I just dropped off the regularly scheduled CVE Board meeting (which I often go to, seeing as how I’m on the CVE Board), and wanted to share a quick update with all my infosec friends on the state of the CVE program, from my own point of view as a CVE Board member (and not speaking on behalf of the CVE Board). TL;DR: CVE continues to CVE, without an interruption in funding.

To recap:

Yesterday, on April 15, 2025 (does US Tax Day make this ironic?), Yosry Barsoum of the MITRE Corporation informed the CVE Board that there was a potential risk to the continued operation of the CVE program, with scary phrases like “will expire” and “break in service.”

This communication to the CVE Board leaked almost immediately — I didn’t see it in my email until I heard about it in about a dozen Signal chats I’m in.

Cue a day of widespread hand-wringing for most vulnerability intelligence professionals and hobbyists. But today, April 16, 2025, news attributed to CISA indicated they had found a solution late last night. From what I understand, CISA “executed the option period” on the contracting with MITRE, which means that CISA will continue to fund MITRE for CVE services for the next eleven months, give or take.

At the CVE Board meeting, we spent most of the time there with representatives from CISA (the funding organization of CVE) and MITRE (the operators of CVE). I won’t get into the weeds, but I will say that both organizations reassured the CVE Board multiple times and in as much clarity as humanly possible, that the CVE program will continue unabated.

Of course, while CVEs do not encompass the full scope of network security issues, I think we can all agree that they are still a critical component to track as part of a robust security program. Over the last 25 years, the CVE program has evolved into a critical, shared, and global resource that ultimately helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue. (That said, if you want to dive into all of the other non-CVE exposures that we here at runZero think are equally important to detect and prioritize, we encourage you to watch our webcast with Omdia, now available on demand).

I look forward to continuing my side-gig as a CVE Board member and remain passionate about improving the CVE program to better serve the needs of the world's IT heroes — capes or no capes.

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more runZero

Product
Announcing runZero 4.9: Unmask attack paths and segmentation gaps with advanced topology and deep OT device intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
Read More
Webcasts
runZero Hour, Ep. 30: Segmentation - stop assuming & start verifying with runZero 4.9
See runZero 4.9 in action! Join HD Moore and Tod Beardsley to learn how interactive attack path mapping and advanced OT intelligence expose hidden...
Watch Now
Product Videos
runZero 4.9: Advanced topology, attack path mapping, & deep OT intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
Watch Now
runZero Perspective
Dawn of the apex agentic adversary
When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
Read More
Webcasts
Beyond the Zero-Day: Mapping the network attackers actually see
Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...
Watch Now
Podcasts
Risky Biz Interview: Navigating the AI vibe shift with HD Moore
runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...
Watch Now
Podcasts
From two weeks to three days: The KEV deadline debate
Former CISA insider Todd Beardsley joins Greg to reveal what it takes to land on the KEV catalog and why ultra-short patching deadlines might...
Listen Now
Solution Briefs
runZero for NIS2 compliance
You can’t secure what you can’t see. runZero provides the complete asset visibility and continuous reporting you need to satisfy strict NIS2...
Read More

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved