CISA pledges to continue backing CVE Program after April funding fiasco

LAS VEGAS — Federal officials pledged Thursday to continue their stewardship of the CVE Program — which catalogs all public cybersecurity vulnerabilities — after a funding dispute in April led to industry concern about the effort’s future. 

At the Black Hat cybersecurity conference in Las Vegas, two leaders from the Cybersecurity and Infrastructure Security Agency (CISA) were asked about the CVE Program’s future — which was thrown into doubt amid a flurry of high-profile cybersecurity contract cancellations following President Donald Trump’s inauguration. 

Chris Butera, acting executive assistant director for the cybersecurity division at CISA, told the audience that the agency is heavily invested in the CVE program, will "continue to fund” it and plans to “improve” it. 

“It is really central to all of our cybersecurity operations,” he said, using the recent security incident affecting Microsoft’s SharePoint product as an example. 

“We have to have that exact, unique way to identify the specific vulnerability that we're talking about. In the SharePoint case, there were four different CVEs involved, so we had to have that specific unique identifier attached to the vulnerabilities,” Butera said. 

“We were all talking about the same thing, and without the CVE program, we don't have that.”

From left, CISA's Chris Butera and Bob Costello speak at the 2025 Black Hat conference in San Francisco with Frank Cilluffo of the McCrary Institute. Image: Jonathan Greig / Recorded Future News

The program is a pillar of the cybersecurity system dating back to 1999 that countless cybersecurity vendors, governments and critical infrastructure organizations rely on for vulnerability identification. CVE  stands for Common Vulnerabilities and Exposures.

The organization that runs the program sent out an urgent alert on April 15 warning that its contract with the federal government was not being renewed and that once it lapsed, no new CVEs would be added to the program and the program’s website would eventually cease. 

CISA initially acknowledged that the contract was lapsing and said it was “working to mitigate impact and to maintain CVE services on which global stakeholders rely.”

The incident caused outrage in the cybersecurity community and one day later, CISA decided to extend the CVE program contract for 11 months. The about-face did not stop pioneering cybersecurity experts from airing desires for the CVE program to be removed from U.S. government control. The European Union launched a separate vulnerability database in May.

Several CVE Program board members banded together to create the CVE Foundation, which said it “vehemently believes the best path forward to preserve the critical service of the CVE Program is to transition it to a nonprofit entity with true international coordination, rigorous and transparent governance, and multiple funding sources from public, private, and nonprofit organizations.”

The organization added that software, hardware and services are not produced, maintained or consumed in a single jurisdiction, so it “must be a shared and global responsibility, and not one owned or controlled by a single nation.”

When asked on Thursday what changed between now and April, Butera told Recorded Future News that “there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse.”

In response to questions about the CVE Foundation and calls for funding or control outside of U.S. government hands, Butera said CISA is “committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program.” 

“And we are committed to achieving these goals together,” he added. 

During the Black Hat talk, Butera spoke at length about how the CVE program has grown significantly in the last five years, eclipsing more than 40,000 vulnerability records in a single year. He noted that the figure is likely to increase every year. 

“That program is really foundational, both to our tactical operational work but also to some of our strategic work as well. It's really the basis and foundation for the whole vulnerability and cybersecurity ecosystem,” he said. 

He pledged to push for more robust vulnerability records that contained more information on bugs, potential patches and more. 

Information-sharing reauthorization and AI

Butera and Bob Costello, chief information officer for CISA, were speaking in place of CISA acting Director Madhu Gottumukkala, who had to back out of attending on Monday due to a personal matter.

Both expressed hope that Congress will pass a reauthorization bill for a pivotal cyber information sharing program and spoke at length about ways artificial intelligence will help defenders sort through troves of incident data.

Butera said the Joint Cyber Defense Collaborative (JCDC), which allows private sector companies to share threat information and more with government agencies, now has an AI security group that meets regularly and has several different initiatives. 

“They released a playbook for how to respond to AI incidents last year, in coordination with these industry groups, and they continue to work together with industry to try to make sure that we're releasing secure [AI] systems,” he said. 

Costello added that CISA is planning to release new services that will make it easier for organizations to sign up for their cyber hygiene services.

Both walked the audience through several concerns they have, including the evolving trend of cybercriminals chaining vulnerabilities together for initial access to networks. Costello said that he is also working on CISA’s “technical debt” — the term for updating tech implemented quickly but with shortcomings — and plans to fully migrate the organization to the cloud by September 30. 

Butera also warned that the agency is still seeing organizations connect sensitive systems directly to the internet, exposing them to a variety of dangers. CISA has released several advisories highlighting the danger of exposing devices to the internet, particularly those connected to industrial control systems. 

“We are thankful for Congress to give us an administrative subpoena authority that we can actually now use to figure out who owns some of those control systems that are connected the internet, and with help from the ISPs, gain access to who that entity is, and then contact that entity and have them try to remove that from the Internet,” Butera said. 

“Today, we've contacted over 3,000 entities, and we've had over an 80% success rate in getting some of those devices removed from the internet. So we think that is really important, and one way to reduce some attack surface.”