US government funding for the world's CVE program has been abruptly turned off

stapp · Apr 16, 2025

US government funding for the world's CVE program – the centralized Common Vulnerabilities and Exposures database of product security flaws – ends Wednesday.

The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL's Heartbleed and Intel's Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we're all talking about.
Click to expand...

https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/

stapp · Apr 16, 2025

Also see here

MITRE told KrebsOnSecurity the CVE website listing vulnerabilities will remain up after the funding expires, but that new CVEs won’t be added after April 16.
Click to expand...

https://krebsonsecurity.com

ronjor · Apr 16, 2025

CVE Foundation Launched to Secure the Future of the CVE Program

April 16, 2025
[Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.
Click to expand...

emmjay · Apr 16, 2025

ronjor said: ↑

CVE Foundation Launched to Secure the Future of the CVE Program
Click to expand...

I just read that they changed their mind, the funding was approved just hours before the deadline.

https://www.theverge.com/news/649835/cve-cybersecurity-program-contract-renewed

summerheat · Apr 16, 2025

The European Union has launched its own vulnerability database which is still in its beta phase, though:

https://euvd.enisa.europa.eu/

ronjor · Apr 18, 2025

The US almost let the CVE system die - the cybersecurity world's universal bug tracker

By Daniel Sims April 17, 2025
A last-minute funding extension saved the system–but only for 11 months
Click to expand...

stapp · Apr 18, 2025

A much more depressing (and perhaps more realistic) overview of what could happen and the options.

https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/

Log in or Sign up

US government funding for the world's CVE program has been abruptly turned off

stapp Global Moderator

stapp Global Moderator

ronjor Global Moderator

emmjay Registered Member

summerheat Registered Member

ronjor Global Moderator

stapp Global Moderator

Log in or Sign up

US government funding for the world's CVE program has been abruptly turned off

stapp Global Moderator

stapp Global Moderator

ronjor Global Moderator

emmjay Registered Member

summerheat Registered Member

ronjor Global Moderator

stapp Global Moderator

Useful Searches