Ddos 
In a major shift for the cybersecurity world, the CVE Foundation has officially been launched to ensure the long-term independence and stability of the Common Vulnerabilities and Exposures (CVE) Program—one of the foundational systems for global vulnerability tracking. This comes just one day after a leaked letter revealed that the U.S. government will no longer fund MITRE’s role in operating the CVE program, ending a 25-year sponsorship that began in 1999.
The expiration of funding marks a pivotal moment for the CVE ecosystem, which has cataloged over 274,000 vulnerabilities to date and plays a critical role in cybersecurity tools, advisories, and global threat response operations.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” warned Yosry Barsoum, MITRE’s VP and Director of the Center for Securing the Homeland.
The breaking news was first leaked by well-known Web App Hacker Tib3rius, who posted on X:
"CVE Foundation Launched to Secure the Future of the CVE Program"
Please note this is not an official CVE Board action, but the action of a rogue group within the CVE Board to try and save the CVE Program.https://t.co/vkWsjUWZanhttps://t.co/8jHSMCZWzH pic.twitter.com/RCgUuUZBMk
— Tib3rius (@0xTib3rius) April 16, 2025
Responding to the looming uncertainty, a coalition of active CVE Board members has been working behind the scenes to develop a continuity plan. On April 16, the CVE Foundation was officially announced as a non-profit, independent body that will assume responsibility for CVE moving forward.
“The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program,” the Foundation stated in a press release.
This change is being viewed as a safeguard against centralized control and potential service disruptions, reflecting growing concerns in the security community about the reliance on a single government-backed entity.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the new Foundation. “Without CVE, defenders are at a massive disadvantage against global cyber threats.”
While the CVE Program itself will continue largely unchanged in purpose—identifying, tracking, and cataloging software vulnerabilities—its governance model will shift from government-contracted operations under MITRE to a community-driven, globally representative foundation.
“This move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape,” the press release continued.
Over the coming days, the CVE Foundation promises to release more details about its internal structure, community roles, and plans for maintaining uninterrupted CVE service. Meanwhile, questions linger about what role—if any—MITRE will continue to play in the program’s technical infrastructure and data stewardship.
Related Posts:
- MITRE Warns of CVE Program Disruption as U.S. Contract Set to Expire
- js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
- Hackers Exploit Foundation Software, Exposing Sensitive Contractor Data
- End of Windows 10: Microsoft Warns Users, Update or Pay
- Vulnerability Overload: 40,000+ CVEs in 2024
About The Author
