CVE Foundation Launched To Ensure Long-term Vulnerability Tracking

The newly established CVE Foundation has been formally launched to safeguard the long-term continuity, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.

This move comes as the CVE Program, a 25-year foundational pillar of cybersecurity, faces unprecedented uncertainty following the expiration of its U.S. government contract.

For a quarter-century, the CVE Program operated by MITRE under U.S. government funding has served as the global standard for identifying, cataloging, and tracking software vulnerabilities.

Its unique identifiers and open database have enabled security teams, vendors, and governments worldwide to coordinate responses to emerging cyber threats, underpinning the security of the digital ecosystem.

However, this long-standing arrangement was thrown into jeopardy after MITRE confirmed that its contract with the Department of Homeland Security (DHS) would lapse at midnight on April 16, 2025, with no renewal in place.

The announcement sent shockwaves through the cybersecurity sector, raising fears of a breakdown in vulnerability tracking and coordination.

Experts warned that any interruption could severely disrupt national vulnerability databases, security advisories, and incident response operations, leaving defenders with dangerous blind spots.

Recognizing the urgency, a coalition of veteran CVE Board members and stakeholders has spent the past year preparing for this contingency.

Their solution: the creation of the CVE Foundation, an independent, non-profit entity dedicated solely to the stewardship of the CVE Program. The Foundation aims to ensure that the CVE system remains a globally trusted, community-driven resource, free from reliance on a single government sponsor.

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the new Foundation.

“Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”

The formation of the CVE Foundation addresses longstanding concerns about the program’s sustainability and neutrality. By transitioning governance to a dedicated non-profit, the Foundation seeks to eliminate the risk of a single point of failure and reflect the truly international nature of today’s threat landscape.

Security experts and vendors have widely welcomed the move, and many have pledged support and resources to ensure a smooth transition.

In the coming days, the CVE Foundation will release further details about its organizational structure, transition planning, and opportunities for involvement from the broader cybersecurity community.

As the CVE Program enters this new chapter, the Foundation’s mission is clear: to preserve the integrity, availability, and quality of vulnerability data for defenders worldwide, ensuring that the digital world remains resilient in the face of evolving threats.

The launch of the CVE Foundation marks not just the preservation of a critical resource, but a recommitment to global collaboration and innovation in cybersecurity vulnerability management.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy