IT Brief US - Technology news for CIOs & IT decision-makers
United States
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Cybersecurity
#
Software Development
#
Critical Infrastructure

Funding crisis sparks fears for future of global CVE system

Thu, 17th Apr 2025
Author image
By Shannon Williams, Journalist

The future of a cornerstone in global cybersecurity has come under scrutiny after it emerged that US government funding for the Common Vulnerabilities and Exposures (CVE) programme is set to lapse, leaving no immediate replacement. The CVE system, widely considered a backbone of vulnerability tracking and coordination, underpins efforts by organisations worldwide to identify and address threats within software.

The impending lapse of funding raises pressing questions about the continued operation of the CVE programme, with experts warning of significant repercussions for the security ecosystem should the status quo be disrupted for an extended period. While CVEs have occasionally faced criticism for being imperfect or incomplete, they remain an essential resource for enterprise security teams tasked with defending increasingly complex digital landscapes.

Glenn Weinstein, chief executive at Cloudsmith, underscored the reliance of the software development community on the CVE system. "Software development teams at nearly every enterprise globally rely on the CVE system as a central organising principle for vulnerability identification and detection. They're an important tool that we use to secure each organisation's software supply chain," Weinstein said. He argued, however, that the community has recognised the limitations of the repository, noting: "CVEs aren't the only thing to protect against, and the CVE system is generally imperfect and incomplete under the best circumstances. The various communities that are invested in software supply chain security have been augmenting CVEs with additional sources of vulnerability data, as well as enriching CVEs themselves with metadata. It's grown into a complex information ecosystem."

Weinstein expressed hope for a sustainable resolution to the current funding crisis, highlighting the value of maintaining and investing in CVEs as a "somewhat-centralised resource." He added that, irrespective of the outcome, tools such as Cloudsmith are already built to assist software development teams in managing a "heterogeneous ecosystem of data sources" for vulnerabilities, malware, and licensing issues, facilitating the creation of automated security policies.

Adam Kahn, vice president of global security operations at Barracuda, offered a stark warning about the severity of the situation. Describing the funding lapse as "a seismic threat to global cybersecurity," Kahn said: "This isn't merely a bureaucratic oversight – it's a seismic threat to global cybersecurity. The CVE programme serves as the backbone of vulnerability coordination; without it, defenders fly blind and are left navigating a minefield without a map."

Kahn acknowledged that a temporary funding extension might provide "temporary relief," but cautioned that it was not a replacement for long-term stability. "If we fail to secure the future of the CVE programme, we risk transforming a vital pillar of digital defence into a significant vulnerability," he said.

The CVE system, managed in part by the not-for-profit organisation MITRE, functions as a central catalogue of publicly disclosed cybersecurity vulnerabilities. Its continuity is widely perceived as synonymous with the effective coordination of global cyber defence efforts, facilitating both detection and remediation of threats by vendor and open source communities alike.

The uncertainty surrounding the future of the CVE system highlights the fragility of vital cyber infrastructure. As governments and stakeholders deliberate over funding decisions, cybersecurity experts and software supply chain leaders urge quick action to reaffirm the programme's position as a trusted and sustainable resource. With industry consensus pointing towards its centrality in defending digital assets, calls for greater investment and modernisation of the CVE ecosystem have taken on a renewed sense of urgency. The coming days are likely to prove pivotal in shaping how governments and industry approach the governance and sustainability of shared cybersecurity resources.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Illumio unveils AI security graph for cloud threat response
One in fourteen workers use China-based AI apps, study shows
CData unveils cloud service after $350 million backing
Organisations face risk with open-source AI & cloud use
Cobalt report reveals gaps in critical vulnerability fixes
Top stories
Certinia unveils Spring '25 update with advanced AI tools
Lasso introduces first security gateway for MCP workflows
Kiteworks reveals the top data breaches of 2024 report
FireMon recruits four Skybox sales leaders for expansion
Hitachi Vantara unveils VSP One with AI ransomware defence