The Future of the Common Vulnerabilities and Exposures (CVE) Program
The Cybersecurity and Infrastructure Security Agency (CISA) is advocating for significant advancements in the Common Vulnerabilities and Exposures (CVE) Program, emphasizing collaboration, government support, transparency, infrastructure modernization, and improved quality of vulnerability data.
A Brief History of the CVE Program
The CVE Program, which celebrated its 25th anniversary last year, plays a crucial role in cybersecurity. Its primary goal is to identify, define, and catalog publicly disclosed security vulnerabilities. Over the years, it has expanded significantly, with the number of CVE Numbering Authorities (CNAs) rising beyond 400 and more than 28,000 new CVE records created in just one year.
As of 2025, this number has increased to over 460 CNAs. CISA acknowledges that the CVE Program is entering a new phase after a decade characterized by substantial growth.
Evolving Trust and Transparency
In a recent document outlining its vision for the future of the CVE Program, CISA highlighted the necessity for the program to adapt to the evolving needs of the global cybersecurity community. The new focus is on trust, responsiveness, and the quality of vulnerability data.
CISA describes the CVE Program as one of the most reliable and enduring resources in cybersecurity. To maintain its value, it must operate under principles of conflict-free and vendor-neutral stewardship. This includes fostering broad multi-sector participation and ensuring transparent processes and accountable leadership.
Commitment to Open Access
A vital aspect of the CVE Program is its commitment to transparency and open access. CISA emphasizes that the program should not be privatized and must continue to promote accessibility for all users. This approach facilitates coordinated cyber defense strategies, promotes innovation in security tools, and empowers defenders across various sectors globally.
CISA asserts that stewardship of the CVE Program should reflect the ideals of public good, encouraging global participation in governance and oversight.
Future Priorities for the CVE Program
Looking ahead, several key priorities have been outlined for the CVE Program:
-
Diverse and International Partnerships: CISA aims to cultivate a broader range of partnerships within the global cybersecurity community.
-
Government Investment: Sustained investments from governmental bodies, particularly CISA, are crucial for the program’s effectiveness and modernization.
-
Infrastructure Modernization: Upgrading the CVE infrastructure through automation and enhanced capabilities is essential for improving data visibility and responsiveness.
-
Quality Standards: Implementing minimum standards for the quality of CVE records will be a focus, ensuring that the data remains robust and reliable.
- Enhanced Data Quality: Developing mechanisms for data enrichment is vital for improving the quality of vulnerability data and refining the CVE schema.
CISA’s strategic vision reaffirms its leadership role in modernizing the CVE Program, aiming to solidify its position as a cornerstone in global cybersecurity defense.
Addressing Current Challenges
Despite the plans for the future, challenges remain. For instance, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) is still grappling with a significant backlog of vulnerabilities. This highlights the need for an efficient and scalable approach to vulnerability management.
CISA’s commitment to enhancing the CVE Program is a forward-thinking response to the increasing complexities of the cybersecurity landscape. By focusing on collaboration, transparency, and quality, the CVE Program is set to play an even more pivotal role in safeguarding global cyber infrastructure.
