CISA weighs ‘alternative funding sources’ to preserve cyber vulnerability-tracking project

The Cybersecurity and Infrastructure Security Agency is exploring more diversified funding mechanisms to help cover the cost of a bedrock vulnerability cataloging program that’s been relied upon by the cyber community for years.

The Common Vulnerabilities and Exposures Program faced a near complete lapse in funding in April when MITRE, the research giant that funds much of the program’s functions, warned of an imminent end to federal backing for the cornerstone cybersecurity project. The lapse was reversed within hours after outcry from the cybersecurity community.

The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each software flaw is assigned a unique identifier, designed to help security researchers, vendors and officials more effectively communicate about the same issue.

“As a critical public good, the CVE Program’s infrastructure and core services require ongoing investment from CISA,” the cyber defense agency said in a Wednesday paper outlining strategies for the future of the project. “Many in the community have requested that CISA consider alternative funding sources. As CISA evaluates potential mechanisms for diversified funding, we will update the community.”

The agency is also looking at ways to expand on community partnerships and improve data quality standards for vulnerability information shared with the private sector and overseas governments, it said.

In August, CISA officials committed to supporting the program, which was first launched in 1999. Security agencies like CISA regularly issue alerts using CVE-standardized language.