Many technology users do not usually have to worry about security vulnerabilities on their most-used devices, such as Android-based products, as long as they update their phones promptly when new security patches are available. However, there is a complex government-supported program in place to ensure this security, and it was almost at risk of shutting down today.
After nearly 24 hours of uncertainty, the U.S. Cybersecurity and Infrastructure Agency (CISA) confirmed that it would continue funding the Common Vulnerabilities and Exposures (CVE) program on the day its previous contract was due to expire. Today, on April 16, a CISA spokesperson informed The Verge that the agency had “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
It was a close call that could have led to a major tech security crisis.
The CVE program plays a crucial role in identifying and monitoring security issues publicly, from the moment a potential problem is discovered until a fix is issued. It has nearly 500 partners, including security researchers, open-source developers, and major companies like Google, Microsoft, and Apple.
You may have come across a CVE code in an article or update release notes, such as those found on Android Central or the Android Security Bulletin. These codes, like CVE-2024-53104, are universal identifiers for tracking security flaws across devices, platforms, and companies, starting with “CVE” followed by the year and a number.
The CVE program has been in operation for 25 years, starting in 1999. It is a vital tool for the security community, enabling researchers, developers, companies, and the public to collaborate in identifying and addressing critical vulnerabilities. It also indicates whether a vulnerability is being actively exploited by malicious actors.
Prominent security researchers have emphasized the potential consequences of the CVE program shutting down, such as Lukasz Olejnik on X (formerly Twitter).
“The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability,” wrote Olejnik, a scholar with advanced degrees in computer science and information technology law with specializations in privacy. “Total chaos, and a sudden weakening of cybersecurity across the board.”
The crisis has been avoided… for now?
Fortunately, it seems that the crisis has been averted, as the federal government will continue to fund the CVE program in the near future. However, the fact that this decision came down to the wire amid broader federal funding cuts under the Trump administration leaves the CVE program in a more precarious position than ever in its 25-year history.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” the spokesperson stated to The Verge. “We appreciate our partners’ and stakeholders’ patience.”
However, the last-minute approval was not quick enough, as the security community had already begun preparing to sustain the CVE program even without federal funding. CVE board members established the CVE Foundation, a non-profit organization that has been planned in secret for the past year to ensure the continuation of the CVE mission.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” stated Kent Landfield, an officer of the CVE Foundation, in a press release. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The foundation is concerned that having a single government sponsor could create “a single point of failure in the vulnerability management ecosystem.”