Navigating the CVE Transition: Insights on GCVE, CVE Foundation, and Beyond

The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE since 1999, has been a cornerstone of global cybersecurity, providing standardized identifiers for vulnerabilities (e.g., CVE-2024-43573). However, the program faced a critical challenge when its funding from the U.S. Department of Homeland Security (DHS) was set to expire on April 16, 2025. A last-minute 30-day extension by the Cybersecurity and Infrastructure Security Agency (CISA) has ensured temporary continuity, but the long-term future remains uncertain.

In response, two significant initiatives have emerged: the CVE Foundation, a non-profit launched to sustain CVE operations, and the Global CVE Allocation System (GCVE), a decentralized platform introduced by the European Union.

This advisory post provides a comprehensive overview to navigate these developments, explores potential alternative platforms, and examines whether other groups are vying to acquire CVE functions from MITRE, offering clarity for organizations navigating this transition.

Current Status of MITRE’s CVE Program

The CVE program, sponsored by DHS and CISA, relies on MITRE as the Editor and Primary CVE Numbering Authority (CNA), coordinating a network of CNAs to assign CVE identifiers. On April 15, 2025, MITRE announced that its contract would not be renewed, raising alarms about potential disruptions, including deterioration of national vulnerability databases, slowed vendor responses, and impacts on incident response operations. A statement from CISA, reported by Forbes (CVE Funding Extension), confirmed that an option period was executed to extend funding for at least 30 days, ensuring no immediate lapse in services. However, the lack of a long-term funding commitment, linked to cost-cutting efforts by the Trump administration, underscores ongoing uncertainty.

The CVE Foundation: A New Chapter for CVE

Launched on April 16, 2025, in Bremerton, Washington, the CVE Foundation is a non-profit organization established to ensure the CVE program’s long-term viability, stability, and independence (CVE Foundation Overview). Triggered by MITRE’s funding expiration, the foundation aims to eliminate reliance on government funding and foster global collaboration. Kent Landfield, an officer, emphasized, “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” highlighting the need for a sustainable model.

The foundation’s goals include maintaining data integrity, ensuring high-quality vulnerability identification, and preventing CVE from becoming a single point of failure. It plans to release details on its structure, transition planning, and community involvement in the coming days, as noted in its announcement. This positions the CVE Foundation as the primary successor to MITRE’s role, focusing on continuity and independence.

GCVE: A Decentralized Approach

Announced on April 16, 2025, by the European Union, the Global CVE Allocation System (GCVE) introduces a decentralized model for vulnerability identification and numbering (GCVE Announcement). Unlike the centralized CVE system, GCVE empowers independent GCVE Numbering Authorities (GNAs) to assign identifiers, enhancing flexibility, scalability, and autonomy. The platform is designed to complement the existing CVE program, with all standard CVEs mapped under a reserved “GNA ID 0” for compatibility.

Key Features of GCVE

• Identifier Format: GCVE-<GNA ID>-<YEAR>-<UNIQUE ID> (e.g., GCVE-1-2025-00001 for a 2025 vulnerability by GNA ID 1, CIRCL).

• GNA Autonomy: GNAs can allocate identifiers at their own pace, define internal policies, and operate independently of centralized control.

• Benefits: Removes central bottlenecks, offers policy flexibility, and improves scalability.

• Registry: Available at GCVE Website, it lists GNAs, allocation states, and provides public lookup and API support.

Organizations can become GNAs by meeting criteria, such as being an existing CNA or a registered CSIRT/CERT, and applying via email to [email protected] with a JSON directory format (GCVE About). The timing of GCVE’s launch suggests it may address potential disruptions in the CVE program, though its adoption and integration remain uncertain.

Other Platforms and Alternatives

No major new platforms have been confirmed to replace the CVE program. Existing systems, such as the National Vulnerability Database (NVD) maintained by NIST, rely on CVE data and are not direct replacements. However, some CNAs are taking proactive steps:

• VulnCheck: This CNA has reserved 1,000 CVEs for 2025 to mitigate potential gaps, as reported by CSO Online (VulnCheck Reserves CVEs). This suggests a distributed effort to maintain functionality.

Other vulnerability databases, such as cvedetails.com, are resources rather than replacements. The evidence leans toward GCVE and the CVE Foundation as the primary initiatives addressing the CVE transition.

Groups Seeking to Acquire CVE from MITRE

The CVE Foundation is the only entity explicitly established to take over CVE operations, with no public announcements of other organizations or consortia bidding for MITRE’s role. Forbes speculated that funding might shift to “big players in global cybersecurity or a consortium,” but no specific groups were named. The absence of reported bidders suggests the CVE Foundation is the leading candidate, supported by its immediate launch and clear mission to sustain CVE.

Implications for Organizations

The transition in vulnerability management has significant implications for organizations:

• Tool and Process Updates: Organizations may need to adapt tools to support GCVE’s identifier format or align with the CVE Foundation’s processes.

• Potential Fragmentation: GCVE’s decentralized model could lead to inconsistencies, while the CVE Foundation aims for uniformity.

• Adoption Challenges: The success of either platform depends on widespread adoption, which may face resistance due to change or lack of awareness.

Recommended Actions

• Monitor Developments: Track updates from the CVE Foundation (CVE Foundation) and GCVE (GCVE Website) to understand transition timelines and requirements.

• Assess Impact: Evaluate how changes may affect vulnerability management practices and prepare for tool or process updates.

• Explore Participation: Consider applying to become a GNA for GCVE or engaging with the CVE Foundation to influence future standards.

• Stay Engaged: Participate in industry forums to share insights and stay informed about community responses.