The Common Vulnerabilities and Exposures (CVE) Program is at a crossroads. Since 1999, it has served as the canonical index of software vulnerability identifiers, a critical function in a world that increasingly relies on software to power every aspect of modern life. Its success over the last quarter century is a testament to the vision of its founders and the dedication of the volunteers who have helped it grow into a core element of global software security.
However, recent funding and contracting issues have laid bare fundamental challenges with the program. Without adaptation, the vulnerability identification landscape will fragment. A quarter-century’s progress driving towards a common lexicon will be undone. Cyber defenders will suffer as the task of deciphering what vulnerability an alert refers to falls on their shoulders. And software makers will lose a vital source of data about the prevalence of software defects, important information to drive progress in security-by-design.
To prevent fragmentation, the CVE Program must evolve. It needs a broader base of funding from governments, philanthropies, and industry. And it needs a new governance structure with representation from non-U.S. governments and voices from across the entire community of CVE Record producers and users.
This paper provides recommendations for global policymakers on how to reimagine the CVE Program for the next 25 years. At its core, it provides a policy framework that separates the creation and cataloging of universal vulnerability identifiers from other vulnerability management functions that rely on those identifiers. In particular, the paper calls for:
- Global Vulnerability Catalog (GVC): The GVC, a multistakeholder successor to the CVE Program, would “provide unique identifiers for and maintain and provide access to a catalog of actionable cybersecurity vulnerabilities.” The existing CVE Record schema should be the starting point for GVC entries, and the catalog should preserve all existing data and identifiers that power global vulnerability management.
- National (or Regional) Vulnerability Management Programs: These programs would handle other key functions related to software vulnerabilities—beyond assigning identifiers—for both software producers and users. Using the Global Vulnerability Catalog unique identifiers and authoritative records, governments would then develop national or regional services tailored to their specific needs that build on this shared foundation. In practice, databases like the European Union Vulnerability Database are already structured this way, as they are based on CVE IDs.
The remainder of the paper focuses on the steps needed to create the GVC. Critically, policymakers must create a governance structure for the GVC that is more inclusive and transparent than that of the existing CVE Program.
As the sole funder of the CVE Program for its entire existence, the U.S. government is to be commended for its contributions to global cybersecurity. However, as a global, public good, other countries must step up to support the GVC, through funding and operational support. The paper provides concrete courses of action for global policymakers, led by the U.S. government, to create and sustain the GVC.
- The White House Office of the National Cyber Director should, in partnership with CISA, engage in dialogue with their international counterparts, as well as members of civil society and industry, about the development of a Global Vulnerability Catalog. These talks should be informed by Track 1.5 dialogues, supported by senior political leadership in participating governments, and focused on governance of the new catalog.
- The United States Congress should provide strategic direction to these efforts including by prioritizing funding certainty, committing to a multistakeholder successor to the CVE Program while invigorating a U.S. national vulnerability management program, and conducting hearings on the topic.
To enable these efforts, and in light of a lack of transparency about fundamental elements of the CVE Program, such as its annual operating budget or the status of its intellectual property, CISA should consider proactively making additional information about the CVE Program public.
To succeed, the GVC must also leverage the community of contributors who have helped to build the CVE ecosystem—especially the dedicated board members, many of whom have devoted thousands of hours to making cyberspace safer— to help guide the program’s future. Policymakers should also lay out a clear set of milestones for the GVC, including objectives related to:
- Data quality. The GVC should focus on completeness, accuracy, and timeliness of CVE Records, enforced by strongly typed, machine-readable fields that adhere to a specified format and reject non-compliant inputs.
- Modernization of the technical infrastructure that underpins the program. Access to the database should be aligned with current technology standards and best practices, including cloud-native reliability, uptime guarantees, disaster recovery, and modern identity and access management.
- A focus on customer use. The GVC should prioritize approaches that support defenders in securing their systems today and that help software developers eliminate recurring classes of coding errors in the future.
At present, the CVE Program remains the most powerful tool available for tracking and measuring software security defects at scale. As it evolves into a Global Vulnerability Catalog, it must retain its status as a globally recognized and trusted reference point. This paper provides an updated governance and funding framework that reflects its role as a shared public good relied upon by stakeholders worldwide and ensures its continued success.
