The rapid defunding and refunding of the CVE Project is just another sign of the destabilization our government is currently experiencing.
I’m guessing that Trump and Musk are behind this, and that this is just another essential thing the government does that they’re trying to break into pieces. The good news is that in this case not only was there a last minute reprieve, but some people saw it coming and made plans to keep things going in case the rug still eventually gets pulled out.
If this was the work of the dynamic duo of Pennsylvania Avenue, what they were busy trying to break was the Common Vulnerabilities and Exposures program — better known as CVE — which keeps track of security vulnerabilities found in software so that it can get fixed, hopefully before the bad guys develop a way to exploit the bug.
The story started on Tuesday when MITRE — a nonprofit that among other things operates federally funded research and development centers that support various federal government agencies, including the CVE program — sent a letter to CVE board members, telling them that funding for CVE and other related programs was set to expire on Wednesday. As you might imagine, when that news hit the internet, it got social networks buzzing.
For example, security guru Brian Krebs sent out an alarm on LinkedIn, just to make sure that everybody knew that this was serious:
“The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses,” he said. “There isn’t really anyone else left who does this, and it’s typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.”
The latter point is why the government pulling the rug out from under the project didn’t make any sense. While it’s true that the project is hugely important to enterprises — it helps protect them from intrusions that can lead to the likes of ransomware attacks and the discovery of company secrets, while also helping them keep sensitive customer data protected from breaches that can lead to identity theft — it’s also important from a national security perspective.
Fixing security bugs after a CVE is issued to sound the alarm is one of the prime ways we keep the Russians, the North Koreans, and others bad-news nation-state actors out of government operated secure communications networks — presuming they’re not using Signal — while also helping keep software used by public utilities vulnerability-free, which helps efforts to keep hackers from instigating a radiation release or poisoning a municipality’s water supply.
From Out of Nowhere — The CVE Foundation
Then on Wednesday morning, at about the time that tech oriented websites and tech-focused users on social sites were at peak craziness over this withdrawal of funding, a monkey wrench was thrown into the machinery by a news release from the CVE Foundation, an organization that nobody — at least not anybody that I know — has heard anything about until now.
“The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures Program, a critical pillar of the global cybersecurity infrastructure for 25 years,” the release opened, under the heading: “CVE Foundation Launched to Secure the Future of the CVE Program.”
The release went on to say that some members of the CVE board have had “longstanding concerns” concerning the “sustainability and neutrality of a globally relied-upon resource” under the control of a single government entity:
“This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
“In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
The release went on to indicate that it sees itself as a way of “eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative,” and said that more information about the organization’s will be released “over the coming days.”
CISA Relents — Renews Funding for 11 Months
Meanwhile, back at the government somebody either convinced the boneheads who thought it was a good idea to defund CVE’s to change their minds — or else did an end-run around them.
However it went, not long after the CVE Foundation made itself known, the Cybersecurity and Infrastructure Security Agency — better known as CISA — issued an email that called the CVE program “invaluable” and said that it had issued an “option period on the contract to ensure there will be no lapse in critical CVE services.” A spokesperson for the agency told Reuters the funding would continue for 11 months.
That doesn’t mean that the folks at the newly formed CVE Foundation can rest on their laurels, however. With the Trump mafia in the White House, I wouldn’t depend on the 11 month window actually lasting two weeks.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
WTF USA?
3 and a half more years to go before the circus leaves town FOR GOOD!
LoL!
With luck, Chris, we’ll find a way to fold up their tents earlier than that.
The People’s Republic of China will be happy to fund CVE….