CVE Foundation established to keep Common Vulnerabilities and Exposures (CVE) program afloat after U.S. government funding ends

On April 16, 2025 local time, the CVE Foundation was officially established to ensure the long-term viability, security, and independence of

https://www.thecvefoundation.org/

Since its inception in 1999, the CVE program has been run as a U.S. government-funded initiative, with oversight and management provided by contract. This structure has supported the program's growth, but it has also raised questions from the CVE board about the sustainability and neutrality of tying a globally trusted resource to a single government sponsorship.

However, on April 15, 2025, the US Department of Homeland Security notified the government that it would not renew the funding contract for the CVE program, making it clear that the budget for the CVE program will expire on April 16, 2025 local time. Since the transition to the Trump administration, the US government has implemented various spending reduction policies.

It has been revealed that the operating funds for the CVE program responsible for vulnerability management will expire on April 16, 2025 - GIGAZINE

The CVE program explained, 'We hoped that this day (the day when funding from the U.S. government would stop) would never come, but we have been preparing for that possibility,' and revealed that they have been preparing to launch the CVE Foundation so that the program can continue even if funding from the U.S. government stops.

'Over the past year, the CVE Foundation, a long-time and active member of the CVE Board, has developed a strategy to transition CVE to a dedicated, non-profit foundation that will be dedicated to continuing its mission of providing high-quality vulnerability identification and keeping CVE data secure and available for security practitioners worldwide,' the CVE Foundation said in a statement.

'CVEs are a cornerstone of the global cybersecurity ecosystem and are too important to be vulnerable,' said Kent Landfield, board member of the CVE Foundation. 'Cybersecurity professionals around the world rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVEs, defenders are at a significant disadvantage against global cyber threats.'

The establishment of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring that the CVE program remains a globally trusted, community-driven initiative. This move also represents an opportunity for the international cybersecurity community to establish governance that reflects the global nature of the threat environment.

In the coming days, the CVE Foundation will be publishing more information about its structure, transition plans, and opportunities for broader community participation.

After the announcement of the establishment of the CVE Foundation, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a statement to security-related media outlet BleepingComputer saying, 'The CVE program is critical to the cyber community and a priority for CISA. Last night, CISA extended the option period of the contract to ensure there is no interruption to critical CVE services. We ask for your understanding and cooperation from our partners and stakeholders.' CISA has revealed that the contract extension with the CVE program is for 11 months.

CISA extends funding to ensure 'no lapse in critical CVE services'
https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensure-no-lapse-in-critical-cve-services/

In response to CISA's statement, MITRE, which developed, operated and maintained the CVE program, said, 'Thanks to the government's response, the CVE program and the Common Weakness Enumeration (CWE) program will not be suspended. As of Wednesday, April 16, 2025, CISA has secured additional funding to continue operating these programs. We appreciate the tremendous support for these programs from the cyber community, industry and government around the world over the past 24 hours. The government continues to make significant efforts to support MITRE's role in the programs, and MITRE intends to continue to leverage CVE and CWE as global resources.'