< Back to News & Resources
Report: Ensuring the Future of CVE — Why Improvements are Needed
Blog

Report: Ensuring the Future of CVE — Why Improvements are Needed 

The cybersecurity ecosystem is currently facing a trust challenge: vulnerabilities are hitting record highs and the CVE system is under strain.

The Common Vulnerabilities and Exposures (CVE) system is a global standard for naming and cataloging software vulnerabilities. It allows researchers, vendors and organizations worldwide to refer to the same disclosed vulnerability in a consistent, standardized way. 

The Initiative for Trust and Transparency in Cybersecurity (ITTC) believes that the Common Vulnerabilities and Exposures (CVE) program is a cornerstone of global cybersecurity. For more than 25 years, CVE has enabled researchers, vendors, and governments to speak the same language when identifying vulnerabilities. Yet, the critical program that companies and researchers have relied on for decades is under stress. The Center for Cybersecurity Policy and Law (CCPL) recently released a report detailing problems now facing the program, including questions about funding, governance and its long-term sustainability.

The report underscores several challenges currently facing the program, including:

  • Funding: Earlier this year, a threatened shutdown of the CVE program highlighted the risks of relying on a single funding stream – even if that’s the U.S. government.

  • Global trust and risk of fragmentation: As the EU and other entities explore their own vulnerability databases, the threat of fragmentation looms. Splintered systems could return us to a pre-1999 world of incompatible identifiers, confusing security teams and threat researchers.

  • Transparency gaps: Stakeholders need clearer visibility into how resources are allocated and how CVE evolves to meet modern demands.

CCPL’s report underscores this issue around governance, decision-making, and program direction.

CCPL’s report highlights the importance of the CVE system to the entire cyber ecosystem. 

CCPL’s research is an urgent call to action: the next year is critical as stakeholders debate funding models, governance reforms, and modernization efforts. ITTC will continue to champion a collaborative and transparent approach to the CVE system, which is a trusted backbone of vulnerability management now and into the future.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.