CVE Program Funding in Jeopardy: Satnam Narang of Tenable Shares Insights
“The reported expiration of funding for the MITRE CVE Program has naturally caused concern amongst cybersecurity professionals as well as organisations. Launched in 1999, the CVE Program has been an important pillar in the cybersecurity space, creating a taxonomy that has been used to help track over 250,000 CVEs as of the end of 2024. We still don’t know if this expiration of funding will go through, but in the event that it does, its impact will be felt broadly.
“CVE Numbering Authorities (CNAs) are responsible for reserving and assigning CVEs. While CNAs can reserve CVEs, the sheer volume of CVEs means that there’s only a really small window of time before those CVE identifiers run out.
“CVE is the language of vulnerabilities and exposures, so without it, we do not know what might take its place. There may be several competing solutions, but unless one emerges as the frontrunner, we may end up with a situation like we have with the naming of threat actors where there is no uniformity in names.
“Plus, the CVE Program provides a centralised space for tracking the assignment of CVEs, which many organisations have come to rely on. We’re continuing to monitor the developments around the planned expiration of funding.” — Satnam Narang, Sr. Staff Research Engineer at Tenable
