The US cybersecurity agency CISA believes that expanded partnerships, government sponsorships, transparency, modernization, and better vulnerability data quality are the next step in advancing the Common Vulnerabilities and Exposures (CVE) Program.
Aimed at identifying, defining, and indexing publicly disclosed security defects, the CVE Program turned 25 last year, when the number of CVE Numbering Authorities (CNAs) surpassed 400, and more than 28,000 new CVE records were produced.
The number of CNAs has grown to over 460 as of 2025, and the CVE Program is now ready to transition to a new phase, following the growth era it went through during the past decade, CISA says.
“As the CVE Program evolves to meet the needs of this global cybersecurity community, it must transition into a new era focused above all on trust, responsiveness, and vulnerability data quality,” CISA notes in a fresh document (PDF) presenting its vision regarding the program’s future.
According to the agency, the CVE Program is one of the most “enduring and trusted cybersecurity public goods” and must maintain its value through “conflict-free and vendor-neutral stewardship, broad multi-sector engagement, transparent processes, and accountable leadership”.
The program, it says, should not be taken private, should promote transparency to downstream users, and should ensure that CVE data remains free and openly accessible.
“This principle underpins coordinated cyber defense, enables innovation in security tooling, and empowers defenders across industry and government worldwide. CVE Program stewardship must reflect this and be managed as a public good with global participation in its governance,” CISA says.
CVE’s future priorities include more diversified and international community partnerships, ongoing investments from government agencies (mainly from CISA), the modernization of CVE infrastructure through automation and other capabilities, and improvements across visibility, responsiveness, and data enrichment.
The agency will also focus on implementing minimum standards for CVE Record quality and on the development of mechanisms to scale enrichment, to achieve better vulnerability data quality and improve the CVE schema.
“With this strategic vision, CISA is reaffirming our leadership role and seizing the opportunity to modernize the CVE Program, solidifying it as the cornerstone of global cybersecurity defense. In collaboration with the global cybersecurity community, CISA is committed to delivering a well-governed, trusted, and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience,” CISA executive assistant director of cybersecurity Nick Andersen said.
This comes as NIST’s National Vulnerability Database (NVD) is still dealing with a significant and growing backlog of vulnerabilities.
Related: Bill Aims to Create National Strategy for Quantum Cybersecurity Migration
Related: Senator Urges FTC Probe of Microsoft Over Security Failures
Related: Encrypted Messaging Apps Promise Privacy. Government Transparency Is Often the Price
Related: UK Sanctions Russian Hackers Tied to Assassination Attempts
