For more than two decades, the CVE system has been the foundation of global vulnerability management, ensuring that everyone from software developers to government agencies speaks the same language when identifying and patching security flaws.
The Initiative for Trust and Transparency in Cybersecurity (ITTC) believes that the CVE system is critical to the health of the global cybersecurity ecosystem.
The Institute for Security and Technology’s (IST) recently released a new report, CVE at a Crossroads: A Blueprint for the Next 25 Years, making it clear that they believe the system is showing serious signs of strain. Funding instability, outdated infrastructure, and limited international governance threaten to fracture the global coordination that CVE has enabled since its founding in the 1990s, IST argues.
If policymakers don’t act soon, the cybersecurity community could risk losing one of its most important public goods and returning to a fragmented, pre-1999 world where vulnerabilities are tracked separately, slowing response times and weakening collective defense.
The CVE program assigns unique identifiers — CVE IDs — to every publicly known software vulnerability, creating a universal catalog that allows defenders, researchers, and vendors to coordinate across borders and industries.
CVE data powers everything from threat intelligence and vulnerability scanners to national security databases like the U.S. National Vulnerability Database (NVD) and the EU’s new Vulnerability Database (EUVD). Without it, governments and companies would lack a shared baseline for describing or remediating specific vulnerabilities.
As the IST report notes, CVE’s impact goes beyond tactical defense. Its data helps reveal systemic weaknesses across industries, enabling developers to eliminate recurring classes of vulnerabilities and advance the global “secure-by-design” movement. In short, CVE is more than a database, it’s a cornerstone of trustworthy technology.
In April 2025, the Department of Homeland Security’s contract with MITRE — the nonprofit that operates the CVE program — came within hours of expiring. The eleventh-hour renewal avoided a shutdown, but it raised concerns about how precarious the program’s single-source funding model had become and sparked conversations about how to create a more robust model.
IST’s report warns that even a temporary disruption could have far-reaching effects, such as delaying vulnerability publication, creating data inconsistencies, and fragmenting the global ecosystem as vendors or governments spin up their own incompatible systems. The result would be slower incident response and higher risk to critical infrastructure.
The report calls for a diversified funding model that brings together governments, industry, and philanthropic organizations. No single nation, it argues, should bear exclusive responsibility for sustaining a resource that the entire world depends on. Ensuring stable, transparent, and multilateral support for CVE is imperative.
To secure the next 25 years of the program, IST recommends evolving CVE into a Global Vulnerability Catalog (GVC). This would act as a multistakeholder successor built on the same principles of openness that have made CVE successful.
Under this proposal, the GVC would maintain the global catalog of unique vulnerability identifiers, while national or regional vulnerability management programs, such as those led by CISA in the U.S., would enrich the data, add contextual insights, and tailor it to local needs.
IST also calls for modernizing CVE’s infrastructure to keep it resilient for the next 25 years. Stronger governance, transparent funding, and inclusive international representation will be key to preventing fragmentation and reinforcing trust in the system.
Read the report here.
