Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

The CVE Program, a bedrock of global cyber defense, is teetering on the brink

A funding scare, AI and similar international initiatives are raising existential questions about the program’s future.

Published March 24, 2026
Eric Geller's headshot
Senior Reporter
Three women sit on a stage and one man stands on the stage with them. Behind them, a blue backdrop displays a logo reading "RSAC 2026 Conference."
Tod Beardsley, vice president of security research at runZero; Lisa Olson, principal security release program manager at Microsoft; Katie Noble, director of PSIRT bug bounty at Intel; and Madison Ficorilli, senior security manager at GitHub, speak during a panel at the RSAC Conference in San Francisco on March 24, 2026. Eric Geller/Cybersecurity Dive

SAN FRANCISCO — The program that underpins the entire global vulnerability-fixing ecosystem is in danger of either collapsing or fading into irrelevance without major changes, according to one of the program’s leaders.

“I don’t think we can afford to continue at the pace [and] with the tools that we currently have in order to make real progress. We’re just gonna be left in the dust,” Katie Noble, a board member for the Common Vulnerabilities and Exposures (CVE) Program, said during a panel at the RSAC 2026 Conference here on Tuesday.

That is a major problem, said Noble, the director of Intel’s Product Security Incident Response Team and its bug bounty program, because “the CVE program is, in my mind, the foundation for how all cybersecurity defense operations are conducted.”

Through a network of affiliated organizations, the CVE Program vets vulnerability reports and assigns each flaw a unique CVE number, which helps researchers, businesses, government agencies and information-sharing groups track the flaws and understand their impact. The program is widely considered a crown jewel of the cybersecurity community. But its fate is uncertain after the nonprofit MITRE Corporation, which runs the program, almost lost crucial federal funding last year.

On top of those logistical woes, the broader CVE ecosystem is also reeling from the dramatic AI-powered increase in the number of vulnerability reports flowing into software vendors and open-source platforms.

At GitHub, the number of reports received over the past 90 days was 224% higher than in the previous 90 days, said Madison Ficorilli, a senior security manager at the company.

“The numbers I’ve seen over the last three months specifically are like nothing I have personally seen before in vulnerability management,” Ficorilli said. She compared the sea change to the advent of fuzzing, an automated software-testing process that also significantly increased researchers’ bug reporting.

In an ecosystem awash with AI-generated reports, Ficorilli said, the quality of those reports has become “a huge, huge concern,” Ficorilli said.

Noble said the CVE Program needed to adapt to the new technological environment.

“I have deep fear that we are still trying to build a better horse,” she said, “and unfortunately, the community is launching spaceships to Mars.”

If the program doesn’t evolve, she warned, it could lose the collective support that has kept it relevant and useful for almost three decades.

“The CVE program is nothing without the community,” she said. “It’s just a contract. The community has bought into it and agreed to it, and that is a choice.”

Funding anxieties

The near-lapse of Department of Homeland Security funding for MITRE’s CVE Program work in April 2025 deeply alarmed cybersecurity experts, especially Noble and her fellow board members, who felt like they’d been left in the dark.

“We on the CVE board were unaware that there was a problem, because we are not party to anything related to funding or the contract between the U.S. government and MITRE or the deliverables or, in any way, the work that is done,” she said. “We take a little bit of umbrage with this, because, historically, the CVE board has … provided direction to the program and votes on the way forward with the program. And we were informed that that is not the case — we are simply an advisory panel, there to provide advice.”

After an outcry from the cybersecurity community, DHS extended MITRE’s contract at the last minute, and officials at DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said they remained committed to the CVE Program’s vitality.

Noble said she had been told that future annual contract renewals would move more smoothly through CISA without delays and interference from DHS headquarters, a problem that has bedeviled many federal cybersecurity contracts since the beginning of the second Trump administration.

But the broader problem — that the program relies so heavily on U.S. government support — hasn’t been solved, she added, even if no one wants to discuss it anymore.

“I don’t think there's much difference between April [2025] and today,” Noble said. “The contract funding is still solely through the U.S. government.”

Lisa Olson, a principal security release program manager at Microsoft, agreed that the problem had “sort of [been] swept under the rug.”

“The funding is a huge issue,” Noble emphasized. “I don’t think that we can keep up the way that we continue to do business.”

MITRE “has done an exceptional job” running the program, she added, “but they are limited in their capabilities, and they are limited in their bureaucracy, and I think sometimes they are limited in the way the program has been structured.”

Global CVE fragmentation fears

The 2025 funding crisis kickstarted a dialogue about reducing the cybersecurity community’s reliance on a U.S. government-funded program. In the year since, both the European Union and a second international coalition have launched new CVE number allocation systems, hoping to provide a backstop for the vulnerability reporting and analysis ecosystem in the event of further U.S. retrenchment.

Those initiatives have prompted anxiety about the fragmentation of CVE activities, but during the RSAC panel, experts said all three programs could work in tandem with the right coordination steps.

“I think it’s a problem that we can solve if we work together,” Microsoft’s Olson said.

Ficorilli noted that there were already other secondary CVE tracking systems, including one run by CISA, that weren’t causing problems. But she added that those secondary systems only worked because they were built on the CVE Program’s foundational structure.

Noble, for all her existential concerns about the CVE Program itself, said she was confident that the cybersecurity community could avoid balkanization as new programs sprung up.

“Balkanization is scary, and I refuse to live in fear,” she said. “We can’t figure out how to translate between multiple different sources of data? Come on. … I think it’s wholly solvable — and probably faster than we think — if we just stop being afraid of it.”

Editors' picks

Company Announcements

View all | Post a press release
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell