A critical cybersecurity system that supports global threat coordination operates without guaranteed funding, statutory authority, or a formal governance structure. The Common Vulnerabilities and Exposures (CVE) program — which assigns standardized identifiers used worldwide to track and manage cyber threats — almost collapsed in April due to an expiring federal contract.
This close call exposed flaws in how one of the world’s most relied-upon cybersecurity programs is governed and funded, prompting calls for urgent structural reform. While the federal government extended the contract and funding for the CVE program, a July 17 report from the Center for Cybersecurity Policy and Law (CCPL) indicates that Washington has done little over the past three months to ensure the longevity of this foundational cybersecurity program.
How the Vulnerability Tracking Program Works and Why It Is at Risk
For more than two decades, the CVE program has served as the backbone of global vulnerability management. The program assigns unique identifiers to publicly disclosed software flaws, keeping organizations informed on the latest problems and mitigation measures. The CVE system allows companies, governments, and research institutions to speak the same language when analyzing how hackers access systems and how to patch or mitigate vulnerabilities.
When researchers discover a software flaw, MITRE, a non-profit organization that manages federally funded research and development centers, assigns them an identification number. After that, the National Institute of Standards and Technology (NIST) scores the severity of the vulnerability and adds it to the National Vulnerability Database.
On April 15, however, MITRE announced the federal contract it had to maintain the program would expire the following day. Just hours before expiration, the Cybersecurity Infrastructure Security Agency (CISA) renewed the contract for 11 months, through March 16, 2026.
Band Aids Do Not Fix the Larger Problem
A July 17 report from CCPL warned that governance issues are limiting the CVE program’s effectiveness as a global public good. The fact that MITRE’s program relies on CISA funding creates a perception that CISA holds sole control over the program’s activities. In fact, the CVE program coordinates with more than 450 authorized organizations from 40 countries. The report warns that this de facto “single-nation ownership” of a system intended to “serve the global community” has created a “bottleneck” that hinders global collaboration on emerging cyber threats
Meanwhile, NIST’s National Vulnerability Database has faced ongoing backlogs in processing CVE submissions due to capacity and budget constraints. Without NIST’s scoring, organizations may not know whether a particular vulnerability poses a significant risk and may not patch their systems as urgently as necessary to avoid a cyberattack. In June, Democratic lawmakers asked the Government Accountability Office to conduct a review of the CVE program’s structure, effectiveness, and longevity.
Collaboration Is Necessary To Secure Stable CVE Funding
The lack of stable funding for MITRE’s CVE program and NIST’s database has prompted outside organizations to explore creative funding mechanisms and alternative systems. The European Union, for example, has created the Global CVE Allocation System, which has an independent identification system.
However, CCPL warns that the proliferation of alternative systems can create inconsistency, duplication, and confusion, eroding the trust and coherence needed for global coordination on vulnerability disclosure and response. Instead, the U.S. government should work with international partners and the private sector to develop a joint, stable funding mechanism for the CVE program so that it remains the global gold standard for vulnerability management with the support of its many users around the world.
Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Meera Hatangadi is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.
