Future of CVE Program in limbo as CISA, board members debate path forward

The future of the central repository for security vulnerabilities is being hotly debated as multiple entities seek to support the effort or create alternatives following a funding incident earlier this year that nearly shuttered the database’s website. 

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) released two documents explaining their plans for the CVE Program — a critical cybersecurity resource used globally to catalog thousands of software and hardware bugs. 

The CISA documents last week appeared to assert control over the CVE Program after subcontractor MITRE Corporation warned in April that the U.S. government may not renew a  contract that funded the CVE.org website and about a dozen analysts who work to support the CVE Program. 

Although the Trump administration enacted a last minute 11-month contract extension, the incident prompted board members of the CVE Program to kickstart their own organization — called the CVE Foundation — and outline their own vision for the effort that would be run with CISA as one of several contributing entities.

Nick Andersen, executive assistant director for cybersecurity at CISA, shot down any notion of CISA not having a lead role in the CVE Program last week, writing that the “mandate, mission, and momentum to lead this program into the future belongs to this agency.” 

“CISA is accountable to the American people to protect the nation’s critical infrastructure to ensure long-term continuity and mission focus. Suggestions to privatize the CVE Program or move to another alternative stewardship model might sound appealing, but the implications are serious,” he said.

“Private entities, even with the best intentions, face conflicts of interest, prioritizing shareholder value over national security.”

Multiple CVE Program board members, who spoke to Recorded Future News on condition of anonymity to speak freely about the situation, disputed CISA’s assessment and said the program would function best as a globally-supported collaborative effort. They also argued that CISA was never the program’s steward or leading contributor as claimed.

Board members reiterated that the CVE Program is incredibly important to governments and organizations outside of the U.S. — with several countries recently passing legislation making the CVE system pivotal to national defense.

They said the U.S. government should continue to back the program but in a support role alongside the public and private sector. 

‘Conflict-free and vendor neutral’

On September 10, CISA published a two-page planning document about the CVE Program alongside Andersen’s statement that made general comments about the initiative’s need to evolve and “transition into a new era focused above all on trust, responsiveness, and vulnerability data quality.”

The document says the CVE Program must be led “with commitment to conflict-free and vendor neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership.” 

CISA said the roadmap was informed by feedback the agency received from domestic and international partners.

The agency said it plans to expand the community of partnerships involved in the CVE Program, find “potential mechanisms for diversified funding,” implement technological improvements to the platform, improve the quality of CVE records and incorporate community feedback into program roadmap decisions.

Andersen said the roadmap represents CISA “reaffirming” its leadership role and “seizing the opportunity to modernize the CVE Program.”

CISA officials echoed Andersen, arguing in the document that privatizing the CVE Program “would dilute its value as a public good.” 

“The incentive structure in the software industry creates tension for private industry, who often face a difficult choice: promote transparency to downstream users through vulnerability disclosure or minimize the disclosure of vulnerabilities to avoid potential economic or reputational harm,” CISA explained. 

The conflicts of interest “reinforce the need for CISA to take a more active role in the long-term stewardship of the CVE Program,” the document claims. 

CISA went on to say it has “the appropriate mandate, relationships, and capability” as the U.S. agency in charge of cybersecurity, adding that it should be run “as a public good with global participation in its governance.”

Andersen added that “fragmentation, privatization, or industry capture of this function would not only erode trust in the system — it would put American lives and infrastructure at risk.”

CVE Foundation responds

The CVE Foundation, created by board members in response to the April funding incident, claimed CISA’s document supported their vision “for a more transparent, globally supported, efficient, high quality CVE program.” In a comment under CISA’s link to the document on LinkedIn, the foundation said the roadmap shows the two entities have “compatible goals.”

“We agree that a transparently operated 501(c)(3) nonprofit charity is the appropriate model to ensure the CVE Program can thrive and that CVE data remains free and openly accessible as a public good. We welcome working with CISA to achieve these goals,” the foundation wrote. 

Despite the public comments, multiple CVE Program board members privately disputed CISA’s assessment of the situation, questioning the U.S. government’s commitment to the program. 

Members of the board have requested financial transparency and the exact terms of the $57.8 million contract CISA has with The MITRE Corporation. MITRE is a respected cybersecurity organization that supports multiple U.S. agencies involved in defense, healthcare, aviation and more. It initially sounded the alarm in April about the expiration of its contract with CISA to help run the CVE Program and related initiatives like the Common Weakness Enumeration (CWE) Program.

The board has not received any answer from the program sponsors about the contract, work items, payments and oversight for work completed.

The board members said the U.S. government is one of the 470 contributors to the program and does not set the strategy or policy of the program. About 90% of the material in the CVE database comes through global, voluntary contributions from the authoritative sources of vulnerabilities.

“The program partners participate and contribute voluntarily since they believe a clear and uniform numbering of security vulnerabilities helps keep their customers or constituents safe all across the globe,” they said. 

This year, the CVE Program expects to catalog more than 45,000 vulnerabilities. In the last six months, nearly 23,500 CVE records were added to the database. 

U.S. tax dollars were spent creating about 2,264 entries as of Sept 18, representing about 9.6% of the total, according to data provided by the CNA Scorecard site that tracks CVE statistics. 

Most of the tax dollars for the CVE Program went through the contract with MITRE and 146 CVE entries were contributed directly by CISA in the last six months. About 300 other organizations contributed CVE records in the last six months, including companies, vendors and government agencies in Japan, Germany, Spain, Singapore, India and more. 

CISA also adds missing details and other information to CVE records through its Vulnrichment project and the separate Known Exploited Vulnerabilities catalog. 

‘Wider discussions’

Cybersecurity experts said the conversation around the CVE Program was good for the community because it has led to a wider discussion on how to make it better and more efficient. 

VulnCheck security researcher Patrick Garrity said CISA’s roadmap is a good starting point for reforming the CVE Program.

VulnCheck has been the largest private sector contributor to CISA’s Vulnrichment effort to add more information to critical CVE entries. Garrity lauded CISA for offering to include researchers, academia, open-source communities and international partners in the CVE Program’s evolution.

He theorized that CISA’s statements about taking a more active role in the long-term stewardship of the program “indicates the organization may assume the secretariat role in administering the program, and governance could shift to direct government oversight.”

“There are plenty of opportunities for improvement across areas that have presented persistent challenges, such as transparency, communication, responsiveness, timely execution and collaboration,” he said. 

“CISA directly acknowledges the transparency and communication issues long cited by participants, and the commitment to milestone reporting, regular dialogue and expanding engagement beyond traditional software suppliers is critical to bridging trust gaps within the community.”