The European Union is stepping forward to reinforce what many experts describe as a bedrock cyber vulnerability tracking system, as questions linger over the long-term sustainability of the Common Vulnerabilities and Exposures Program. The initiative, widely relied upon by cybersecurity professionals worldwide, has come under renewed scrutiny following a contracting scare involving MITRE, prompting discussions about diversification of support and governance.
The vulnerability cataloging system, first launched in 1999, provides a standardized framework for identifying publicly known cybersecurity flaws. Each vulnerability is assigned to a unique identifier, enabling researchers, vendors, and government officials to communicate about specific issues clearly. Over time, the program has become a foundational reference point in global cybersecurity operations.
ENISA’s Role in Strengthening a Bedrock Cyber Vulnerability System
Speaking at the RSAC Conference in California, Hans de Vries, cybersecurity and operational chief at the European Union Agency for Cybersecurity, highlighted the EU’s intent to support and modernize this bedrock mechanism for addressing cyber vulnerabilities. He noted that the goal is to “build upon” the program’s existing foundation and preserve the “great work that has been done there.”
The renewed focus comes after a tense moment last spring when MITRE warned that federal funding for the Common Vulnerabilities and Exposures Program could abruptly end. Although the issue was resolved within hours following strong backlash from the cybersecurity community, it exposed structural risks tied to reliance on a single U.S. government contract.
In response, EU member states tasked ENISA with exploring ways to strengthen the system. De Vries highlighted the importance of ensuring continuity: “We cannot build on one contract alone, so we have to strengthen it, and make sure that foundation, that basic mechanism, and it’s a huge program, but that mechanism stays, and stays to the core that we want to build on.”
Legislative and Governance Challenges
Concerns about the resilience of the Common Vulnerabilities and Exposures Program are not limited to Europe. In the United States, congressional staff have begun drafting legislation aimed at formalizing the program’s structure and clarifying oversight responsibilities. The effort includes defining a stronger role for the Cybersecurity and Infrastructure Security Agency (CISA).
Moira Bergin, who leads cyber policy work for Democratic members of the House Homeland Security Committee, highlighted a key issue: while CISA is authorized to run the program, it is not explicitly mandated to do so. “That makes it harder for us to hold an agency accountable,” she said, adding that stakeholders lack clear expectations for how the program should operate.
The proposed legislative approach also aims to shield governance from political fluctuations. Bergin explained that draft provisions seek to “inoculate the [CVE] board membership from political cycles,” reducing the risk of instability in managing this bedrock cyber vulnerability framework.
AI, Speed, and the Evolution of Vulnerability Tracking
The discussion around strengthening this bedrock cyber vulnerability system also reflects broader changes in the threat landscape. Industry experts recognize that artificial intelligence is accelerating the speed and scale of cyberattacks.
Bob Lord, a former CISA official involved in the Secure by Design initiative, pointed out that some still assume CVE records are primarily for human interpretation. However, modern threats demand machine-readable, high-quality data from the outset.
Under the current model, vulnerability records are created when flaws are first disclosed, with additional “enrichment” added later, such as severity ratings and exploitability details. But experts argue that delays in completing records can leave defenders exposed in an era of machine-speed attacks.
“Today, we’re going to really need to talk a lot more about record quality at the time of issuance, not enrichment later, but at the time of issuance,” Lord said.
Continued Support from MITRE and CISA
Despite earlier concerns, U.S. authorities have taken steps to stabilize the program. A spokesperson for CISA confirmed that a “broad internal contracting review caused a brief renewal delay in April 2025, but operations continued without disruption,” and MITRE remains the operator of the Common Vulnerabilities and Exposures Program.
The Department of Homeland Security and CISA have since implemented measures to ensure continuity, maintain global vulnerability tracking, and expand usage. A spokesperson for MITRE reiterated the organization’s commitment, describing the program as a “critical global resource.”
