The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released its vision for the future of the 26-year-old Common Vulnerabilities and Exposures (CVE) Program, pledging financial support and stability for the framework as it transitions from a “growth” to a “quality” focus. 

Begun in 1999 as a research project at MITRE, the CVE Program has been sponsored by DHS since 2003 and by CISA since the agency’s establishment in 2018. Users have access to “a common lexicon of real, exploitable vulnerabilities,” CISA Executive Assistant Director for Cybersecurity Nick Andersen said in a blog post. Since its inception, the program has enrolled more than 460 partners across 40 countries. 

The period until now represents the program’s “growth” era, CISA staff said in the CVE Quality for a Cyber Secure Future document, released Sept. 10. The document’s authors called the program “one of the world’s most enduring and trusted cybersecurity public goods” that “has contributed to exponential growth in the cybersecurity community’s capacity to identify, define and catalog hundreds of thousands of vulnerabilities.” 

“If you’re a cybersecurity practitioner, you already rely on the CVE Program — whether you realize it or not,” Andersen said.

However, the future of the program was called into question earlier in 2025 when MITRE reportedly informed program managers that the federal government’s contract for the corporation to maintain the CVE program had been cut and the program would have to shut down by April 16.  

Matt Hartman, CISA’s then-acting executive assistant director for cybersecurity, said in a release that the problem was “a contract administration issue” and that CISA had stepped in to resolve the issue before the contract lapse. But Andersen acknowledged in his Sept. 10 post that “significant debate” about the program’s future had occurred in recent months amid reporting that federal funding for the program was in jeopardy. 

Andersen laid claim for CISA to “the mandate, mission and momentum to lead [the CVE Program] into the future,” saying the agency’s accountability to the American people made it a crucial independent voice in the program’s decision-making. CISA staff echoed this argument in their document, saying that alternate arrangements like privatization had been considered but found wanting. 

“Privatizing the CVE Program would dilute its value as a public good,” CISA staff wrote. “The incentive structure in the software industry creates tension for private industry, who often face a difficult choice: promote transparency to downstream users through vulnerability disclosure or minimize the disclosure of vulnerabilities to avoid potential economic or reputational harm. These built-in conflicts could have a detrimental impact on program transparency.” 

The authors also said alternate stewardship models might lack stability, leaving the program open to “undue financial pressures or contribution-driven influence.” As a result, they said CISA needs to take a more active role in the management of the CVE Program. 

Staff identified several areas in addition to funding through which CISA can support the program. The first is for the agency to use its connections with its international counterparts, academic institutions, security researchers, operational technology developers and operators, and others to grant them more representation in the program that can “yield valuable insights and innovations.”  

CISA also will support infrastructure modernization and the implementation of services including automation to improve services, while incorporating community feedback into road map decisions to expand transparency and communication. Data quality is another area for investment, with plans “to find creative ways to achieve quality, improve the CVE schema and forge ahead with innovative solutions,” the authors wrote. 

“CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense,” Andersen said. “In collaboration with the global cybersecurity community, CISA is committed to delivering a well-governed, trusted and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience.”