Update: Following the CVE Foundation's announcement (below), CISA has said the U.S. government is extending funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program (via Bleeping Computer). Original story follows.
Apple, along with other tech companies, relies on the Common Vulnerabilities and Exposures (CVE) program to identify and track security flaws in its software. This critical cybersecurity resource now faces an uncertain future, after federal funding was today abruptly cut off.
In response to the crisis, a coalition of longtime CVE Board members announced today the formation of the CVE Foundation, a non-profit organization dedicated to ensuring the continued operation of the vulnerability identification system.
"CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself," said Kent Landfield, an officer of the newly formed Foundation. "Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats."
The CVE program provides a standardized system for identifying and cataloging security vulnerabilities across all software and hardware, including Apple's macOS, iOS, iPadOS, and other products. When security researchers discover flaws, they're assigned unique CVE identifiers that allow companies like Apple to coordinate patches and updates.
MITRE Corporation, which has managed the program under contract with the U.S. Department of Homeland Security, confirmed that government funding expired on April 16. Reuters reports that the expiry may be linked to the federal government undergoing a radical downsizing driven in part by the Department of Government Efficiency (DOGE). The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is exposed to the downsizing, stated it is "urgently working to mitigate impact," as the sudden funding gap threatened to disrupt vulnerability management worldwide.
Security experts warned that without CVE, cybersecurity efforts would face "total chaos" as the common language used to communicate about vulnerabilities would effectively disappear. One researcher compared it to "suddenly deleting all dictionaries."
The newly established CVE Foundation aims to transition the program to a dedicated non-profit model that isn't dependent on a single government sponsor. The Foundation's organizers revealed they had been preparing for this possibility for the past year.
"For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today's threat landscape," the Foundation stated in its announcement.
The funding cut also affects the related Common Weakness Enumeration (CWE) program, which helps companies like Apple identify potential security issues before they become vulnerabilities.
The CVE Foundation is expected to release more details about its structure and funding plans in the coming days. Apple and other major tech companies will likely play a significant role in supporting it as a critical part of cybersecurity infrastructure.
Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
