EU Strengthens Common Vulnerabilities and Exposures Program Amid Funding Concerns
The European Union is taking significant steps to bolster a critical cyber vulnerability tracking system known as the Common Vulnerabilities and Exposures (CVE) Program. This initiative, essential for cybersecurity professionals globally, faces renewed scrutiny following a contracting scare involving MITRE, which has raised questions about the long-term sustainability of the program and the need for diversified support and governance.
Launched in 1999, the CVE Program provides a standardized framework for identifying publicly known cybersecurity flaws. Each vulnerability is assigned a unique identifier, facilitating clear communication among researchers, vendors, and government officials. Over the years, the program has become a foundational reference point in global cybersecurity operations.
ENISA’s Role in Strengthening a Bedrock Cyber Vulnerability System
At the recent RSAC Conference in California, Hans de Vries, the cybersecurity and operational chief at the European Union Agency for Cybersecurity (ENISA), emphasized the EU’s commitment to modernizing this essential mechanism for addressing cyber vulnerabilities. He stated that the goal is to “build upon” the program’s existing foundation and preserve the “great work that has been done there.”
This renewed focus comes in the wake of a tense situation last spring when MITRE indicated that federal funding for the CVE Program could abruptly end. Although the issue was resolved quickly due to backlash from the cybersecurity community, it exposed structural risks associated with reliance on a single U.S. government contract.
In response, EU member states have tasked ENISA with exploring ways to strengthen the system. De Vries highlighted the necessity of ensuring continuity, stating, “We cannot build on one contract alone, so we have to strengthen it, and make sure that foundation, that basic mechanism, and it’s a huge program, but that mechanism stays, and stays to the core that we want to build on.”
Legislative and Governance Challenges
Concerns regarding the resilience of the CVE Program extend beyond Europe. In the United States, congressional staff have begun drafting legislation aimed at formalizing the program’s structure and clarifying oversight responsibilities. This effort includes defining a more robust role for the Cybersecurity and Infrastructure Security Agency (CISA).
Moira Bergin, who leads cyber policy work for Democratic members of the House Homeland Security Committee, pointed out a significant challenge: while CISA is authorized to run the program, it is not explicitly mandated to do so. This lack of a clear mandate complicates accountability and creates uncertainty regarding operational expectations.
The proposed legislative approach also aims to insulate governance from political fluctuations. Bergin explained that draft provisions seek to “inoculate the [CVE] board membership from political cycles,” thereby reducing the risk of instability in managing this essential cyber vulnerability framework.
AI, Speed, and the Evolution of Vulnerability Tracking
The conversation surrounding the enhancement of the CVE system reflects broader changes in the threat landscape. Industry experts acknowledge that artificial intelligence is accelerating the speed and scale of cyberattacks, necessitating a more agile and responsive vulnerability tracking system.
Bob Lord, a former CISA official involved in the Secure by Design initiative, noted that some still assume CVE records are primarily for human interpretation. However, modern threats demand machine-readable, high-quality data from the outset.
Under the current model, vulnerability records are created upon the initial disclosure of flaws, with additional “enrichment” added later, such as severity ratings and exploitability details. Experts argue that delays in completing records can leave defenders vulnerable in an era characterized by machine-speed attacks. Lord emphasized the need to focus on record quality at the time of issuance rather than relying on later enrichment.
Continued Support from MITRE and CISA
Despite earlier concerns, U.S. authorities have taken steps to stabilize the CVE Program. A spokesperson for CISA confirmed that a “broad internal contracting review caused a brief renewal delay in April 2025, but operations continued without disruption,” and MITRE remains the operator of the CVE Program.
The Department of Homeland Security and CISA have since implemented measures to ensure continuity, maintain global vulnerability tracking, and expand usage. A spokesperson for MITRE reiterated the organization’s commitment, describing the program as a “critical global resource.”
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
