CISA Rebuffs Funding Concerns as CVE Foundation Draws Criticism

Last week, panic rippled through the cybersecurity community as news broke that the contract for operating the CVE Program, the backbone of global vulnerability coordination, was in jeopardy. MITRE’s stewardship, which has spanned decades, was suddenly up in the air. With hours to spare, CISA extended the contract by 11 months, temporarily averting disaster.

In the wake of the chaos, CISA issued a public statement seeking to reframe the narrative. According to Matt Hartman, CISA’s Acting Executive Assistant Director for Cybersecurity, “there was no funding issue,” but rather a “contract administration issue” that had been resolved before any lapse could occur. Hartman reiterated that CISA remains committed to sustaining and improving the CVE Program, highlighting efforts to incorporate community feedback, foster inclusivity, and ensure global coordination.

But if it wasn’t about money, what triggered such widespread alarm and why are stakeholders still uneasy? The recent statement leaves many questions unanswered.

Former CISA Director Criticizes New CVE Foundation#

In parallel to CISA’s assurances, news surfaced of a newly established CVE Foundation, a nonprofit initiative created by a subset of CVE Board members, reportedly in the works for over a year. Its goal is to assume long-term stewardship of the CVE system and transition it away from single-source funding.

In a public statement released on April 23, the CVE Foundation responded to mounting criticism by aligning itself with CISA’s vision and reinforcing its support for a collaborative, sustainable future for the program.

“We stand in alignment with CISA and this commitment to working together to ensure a resilient, trusted, and innovative CVE Program,” the Foundation wrote. “The model of successfully transferring initiatives from the U.S. government to a publicly managed service or program has countless examples,” citing DARPA’s handoff of ARPANET, IANA’s protocol stewardship, and ICANN’s management of internet namespaces.

The Foundation framed its role as enabling a transition from a single-source funding model to a more stable, diversified one, arguing this approach would strengthen, not fracture, the CVE Program. Its stated mission is to ensure that the program remains “durable, internationally trusted, and works for the good of global consumers and organizations.”

This creation of the CVE Foundation, however, was met with sharp criticism. In a post on LinkedIn, former CISA Director Jen Easterly called it “surprising and disappointing,” pointing out that board members behind the Foundation never disclosed their intentions or recused themselves from ongoing governance. “Why wouldn’t board members raise their concerns within the board itself?” she asked, accusing the group of attempting a “stealth takeover":

While sitting on the governing board of one of the most critical cybersecurity programs in the world, some members were ostensibly working in secret to build a separate organization to assume control of that very program. And they didn’t resign while doing so given the obvious conflict of interest. They didn’t announce it publicly or disclose the effort to their fellow board members.

While the idea of diversifying support for the CVE Program is a debate well worth having, the way this was done raises serious questions. If the CVE Program was truly failing to meet its mission, why wouldn't board members raise their concerns within the board itself? Why not publish a public critique, grounded in data and transparency? Why not advocate for improvements instead of orchestrating what appears to be a stealth takeover?

But supporters of the Foundation pushed back. Tod Beardsley, a CVE Board member and one of the new Foundation’s leaders, defended the effort in a post days before Easterly’s statement, Beardsley established that he sees these efforts as a continuation of their longstanding commitment to vulnerability coordination, not a betrayal of it.

Still, the optics of board members working on an external governance model in parallel with their official roles has drawn sharp criticism, especially as the board's FAQ page states that some members are not ready to share their names. For many in the cybersecurity community, it raises serious questions about accountability, conflict of interest, accountability, and who gets to shape the future of vulnerability disclosure infrastructure.

While the Foundation claims it wants to work collaboratively with CISA and MITRE, Easterly contends that splintering control risks dividing focus, draining resources, and undermining trust. The cybersecurity community, she argues, should rally around meaningful reform through open governance—not side projects developed behind closed doors.

A Program in Need of Reform#

While the CVE Foundation’s emergence stirred controversy, it also reignited a broader conversation: how well is the current system actually working?

Even defenders of the CVE Program acknowledge its shortcomings. Researchers have long criticized delays, inconsistent standards, and a lack of transparency in why some vulnerabilities receive CVE IDs while others don’t. Open source and emerging technologies often fall through the cracks, and the infrastructure has struggled to keep up with the demands of a modern, fast-moving threat landscape.

Yet despite these flaws, CVE remains foundational. As Adam Shostack, who helped create CVE, put it: “The most important part of CVE is not the unique number, but the funding and expertise to run a credible program.” CVE’s value lies in its ability to reliably cross-reference vulnerabilities across databases and tools, an ability that depends on stable infrastructure and trusted coordination.

Easterly argues that while some parts of cybersecurity can be commercialized or supported by a nonprofit, the CVE program is not one of them.

"Vulnerability enumeration, the foundation of shared situational awareness, should be treated as a public good," she said. "This effort should be funded by the government and governed by independent stakeholders who are a balanced representation of the ecosystem, with government and industry members. CISA leading this effort as a public-private partnership assures the program is operated in service of the public interest."

Governance Questions Still Loom#

The 11-month contract extension buys time but not much. There is still no long-term governance model, no strategy for sustainable funding, and no clear path forward for managing the sprawling network of 450+ CNAs. Meanwhile, new players like the EUVD and OWASP’s Global CVE efforts hint at rising pressure for decentralization.

The CVE Foundation argues that diversifying funding will strengthen the program, but critics worry that duplicative efforts will fragment the ecosystem and weaken the very infrastructure defenders rely on.

“Let’s not let 25 years of progress go to waste," Easterly said. "Let’s fix what’s broken. Let’s do it together. And let’s do it in the open.”