Do Son 
Yesterday, we discussed the alarming development that the renowned cybersecurity initiative, the Common Vulnerabilities and Exposures (CVE) program, has been defunded by the U.S. government. Operated by the nonprofit organization MITRE, the CVE project has long relied on various U.S. government departments as its primary clients. However, MITRE’s contract with the government expired on April 16, 2025, and was not renewed.
Without continued financial backing, the CVE project can no longer operate at its previous capacity. Should the program stagnate, the repercussions for the cybersecurity industry could be severe. The fact that this announcement came only now suggests that MITRE had engaged in prolonged negotiations with the government, ultimately to no avail.
In response, CVE has officially established a nonprofit foundation. While the members of the CVE Board did not wish for this loss of government funding, they were well aware of the risks inherent in depending solely on a single funding source. Over the past year, they developed a strategic plan to transition CVE into a dedicated nonprofit foundation.
Now officially launched, the CVE Foundation reaffirms its commitment to the critical mission of providing high-quality vulnerability identification. It pledges to uphold the integrity and availability of CVE data for defenders around the world. In its official press release, the foundation stated:
CVE is a cornerstone of the global cybersecurity ecosystem, and its security must not be taken for granted. Security professionals worldwide rely daily on CVE identifiers and data—for everything from security tools and advisories to threat intelligence and incident response. Without CVE, defenders would face a serious disadvantage in combating global cyber threats.
The establishment of the CVE Foundation marks a crucial step toward eliminating the single point of failure within the vulnerability management ecosystem. The new foundation ensures that the CVE initiative remains a globally trusted, community-driven endeavor. For the international cybersecurity community, this transition also heralds new opportunities to shape a governance model that reflects the evolving threat landscape on a global scale.
In the coming days, the CVE Foundation will release further details regarding its organizational structure, transition plans, and opportunities for broader community engagement.
