The 2024 funding crisis exposed a fundamental truth: we've built critical infrastructure without critical infrastructure protection.
CVE IDs are now the universal language of vulnerability management. Every major vendor uses them. Every scanner depends on them. Compliance frameworks like PCI-DSS, HIPAA and SOC 2 mandate them. Procurement requirements reference them. They're embedded in automated security tooling across every sector.
Yet this entire system runs on year-to-year government contracts.
When MITRE's funding faced renewal uncertainty, the global vulnerability identification system nearly collapsed. Not because the program was flawed, but because we treat essential internet infrastructure like a discretionary line item.
The market must understand: CVE operates without statutory protection, dedicated long-term appropriations or formal governance that could survive agency reorganizations or budget cuts. We've created a single point of failure for global cybersecurity and funded it like a pilot program.
This isn't sustainable. We don't run DNS root servers or certificate authorities on annual contracts that might lapse during budget battles. CVE deserves the same treatment.
Current Brittleness: Where the System Breaks
The ecosystem is most fragile at enrichment and contextualization. When NIST's NVD fell months behind in 2024, the impact was immediate and cascading. Vulnerability scanners couldn't prioritize findings without CVSS scores. Patch management systems couldn't map CVEs to affected software without CPE data. Security teams lost the severity context needed for risk-based decisions. The raw CVE IDs existed, but defenders couldn't use them effectively.
If CVE availability disappeared completely, here's what breaks:
Vulnerability scanners (Qualys, Rapid7, Tenable) become useless. They depend on CVE-to-CPE mappings to match scan results against affected software versions. Without CVEs, you get configuration checks with zero vulnerability context.
Patch management systems lose their ability to prioritize. WSUS, SCCM and third-party tools use CVE IDs to correlate vendor patches with known vulnerabilities. No CVE data means you can't distinguish critical patches from cosmetic fixes.
SIEM platforms lose threat intelligence anchoring. Event Securonix Policies reference CVE-2025-61882, CVE-2025-31324 and CVE-2025-5777. Without the CVE program, these detections become orphaned indicators with no standardized vulnerability reference.
Threat intelligence feeds collapse. CISA's KEV catalog, vendor advisories and threat reports all pivot on CVE as the common identifier. Remove it and we lose the ability to share actionable vulnerability information across organizational boundaries.
Compliance evidence becomes subjective. PCI-DSS 4.0 explicitly requires identifying vulnerabilities "as identified through vulnerability scans and security advisories." Without CVE IDs, compliance becomes non-portable across auditors and enforcement becomes arbitrary.
The timeliness problem is equally damaging. When CVE assignments lag weeks or months behind disclosures, defenders operate blind. Exploits circulate but scanning tools can't detect vulnerable software because no standardized identifier exists yet. This happened repeatedly in 2024 when critical zero-days received CVE IDs only after active exploitation was widespread.
We're essentially fighting with delayed intelligence in a real-time war.
What a Sustainable Model Actually Looks Like
We need to move CVE from a government program to a governed commons with statutory protection and diversified funding. Here's the framework:
Governance Structure
Establish CVE as a multi-stakeholder nonprofit similar to ICANN or the Internet Security Research Group (Let's Encrypt's parent). Board representation should include government (CISA, NIST), industry (major CNAs like Microsoft, Google, Red Hat), security vendors who depend on CVE data, academic researchers and civil society. This prevents single-agency decisions from destabilizing the system during transitions or shutdowns.
Funding That Actually Works
Core Federal Appropriation: Congress needs to establish a dedicated, no-year appropriation similar to the Technology Modernization Fund. This survives annual budget battles and continuing resolutions. Target baseline: $15-20M annually for operations.
Industry Contribution Tiers: Companies that profit from CVE data (security vendors, cloud providers, vulnerability brokers) should contribute based on revenue and usage. Structure this like W3C membership dues with transparent tiers tied to governance participation.
Transaction Fees for Commercial Use: Charge nominal fees for bulk API access or commercial redistribution. Keep individual lookup free. This creates sustainable revenue without paywalling defenders.
Service Level Commitments
Move beyond "best effort" to contractual SLAs. CVE assignment should happen in 48 hours for critical vulnerabilities and 7 days for others. NVD enrichment should complete within 72 hours for CVSS scoring. CISA's recent shift toward community-driven enrichment is a start, but it needs formal structure, quality controls and fallback mechanisms when CNA capacity gets overwhelmed.
Technical Resilience
Implement federated CVE assignment with regional mirrors and distributed databases. Similar to DNS infrastructure, the CVE database should replicate across multiple independent operators with cryptographic integrity guarantees. Government shutdowns, funding lapses or single-point failures cannot bring down the entire system.
Legislative Protection
Pass legislation designating CVE infrastructure as critical. Require that any federal agency operating CVE services maintain continuity during appropriations gaps, similar to essential services like air traffic control. This prevents the annual fire drill where defenders wonder if vulnerability identification will survive the next budget fight.
The Bottom Line
The 2024 crisis was a warning shot. Without structural changes, this happens again. And next time it might coincide with a wormable RCE actively spreading through enterprise networks that can't prioritize patches because the CVE ecosystem collapsed.
We cannot defend our way through a vulnerability management crisis caused by governance failure. The infrastructure exists. The expertise exists. What's missing is the commitment to treat CVE like the critical infrastructure it has become.
The hard truth: we're one budget impasse away from losing the common language that makes coordinated vulnerability response possible. It's time to stop pretending annual contracts are sufficient for infrastructure the entire internet depends on.
2025 Update: The Warning Shot Became Reality
The vulnerabilities we outlined became concrete in 2025. In April, MITRE's DHS contract for the CVE program nearly expired on April 16. CISA exercised a last-minute 11-month extension the night before it lapsed, preventing shutdown but only pushing the problem to roughly March 2026. The entire global vulnerability identification system came within hours of collapse because of a single contract renewal decision.
Meanwhile, CISA itself faced systematic dismantling. The FY2026 budget proposal cut about 1,000 positions (roughly a third of the workforce) plus several hundred million in operating budget. At least 130 positions were eliminated early in 2025 with additional layoffs and reassignments throughout the year. Then a six-week federal shutdown from October 1 to November 12, 2025 furloughed most of CISA's staff, leaving only 889 out of 2,540 employees operational. By late November, CISA was operating with a one-third overall staff reduction and nearly 40% vacancy rates in key mission areas.
The practical impact hit immediately. Fewer public resources. Reduced outreach programs. Less capacity for threat guidance and KEV catalog maintenance. The ATT&CK-aligned ecosystem we described didn't collapse, but it's now running on a skeleton crew during the most complex threat environment we've faced.
This proves the point: we cannot treat critical cyber infrastructure like discretionary programs subject to annual budget fights and extended shutdowns. The 2025 cycle (contract crisis in April, workforce cuts throughout the year, six-week shutdown in fall) demonstrated that without structural governance reform and permanent funding mechanisms, we will face this again. Let's make a plan and be prepared so this won't happen again!
TLDR:
CVE program and CISA budgets: the actual funding figures
The CVE program receives approximately $29 million annually from CISA under a sole-source contract to MITRE Corporation, a figure that became publicly known only during the April 2025 funding crisis. This represents roughly 1% of CISA's total operating budget, which ranges from $2.6 to $2.9 billion depending on fiscal year. Notably, CVE program funding has never been disclosed as a separate line item in official government budgets—it surfaces only through federal contract databases and crisis-driven reporting.
The $29 million CVE contract: what federal records show
Federal contract data from USAspending.gov reveals the CISA-MITRE contract value for CVE and CWE program operations at $28,967,283 (approximately $29 million) for the contract period April 2024 to April 2025. This sole-source contract was awarded to MITRE Corporation because the government determined CVE database curation is "critical for industrial mobilization or is essential R&D work."
Multiple authoritative sources confirm this figure. SecurityWeek reported that MITRE "received around $29 million from CISA for the project over the course of its last contract, renewed in April 2023." The Register documented that "MITRE has received roughly $30 million since 2023 from Homeland Security to run CVE and associated programs." These figures align with the USAspending.gov contract data.
The broader CISA-MITRE contract ceiling reaches $57.8 million including option periods, according to federal contract documents cited by Recorded Future News. When CISA executed the emergency 11-month extension in April 2025, industry estimates placed that extension's value at approximately $44 million, though CISA characterized it as exercising "the option period on the contract" rather than disclosing specific amounts.
For context, the related National Vulnerability Database (NVD) operated by NIST has a separate contract with Analygence valued at approximately $25 million, bringing combined CVE ecosystem costs to roughly $54 million annually.
CISA's overall budget trajectory from FY2024 to FY2026
CISA's budget has faced sustained pressure, declining from enacted levels to proposed cuts that would represent approximately 17% reduction from FY2025 to FY2026 under the Trump administration's proposal.
FY2024 Enacted (P.L. 118-47): The Homeland Security Appropriations Act provided CISA with $2.873 billion in gross discretionary budget authority. This broke down as:
- Operations and Support: $2.383 billion
- Procurement, Construction, and Improvements: $489 million
- Research and Development: $793,000
- Authorized positions: 3,732
This represented a $34 million cut from FY2023 levels, despite the Biden administration requesting $3.06 billion. Specific cybersecurity allocations included $823 million for cyber defense technology and tools, $819 million for cyber operations (including vulnerability management and threat hunting), and $130 million for emergency communications.
FY2025 Enacted: Operating under a full-year continuing resolution (P.L. 119-4), CISA received essentially flat funding at $2.873 billion—the same level as FY2024—despite a Biden administration request for $3.01 billion. The Trump administration later attempted to reprogram $144 million from CISA's FY2025 budget to ICE operations.
FY2026 Proposed vs. Enacted: The Trump administration's June 2025 budget request proposed cutting CISA to $2.378 billion—a reduction of approximately $495 million (17%) below FY2025 levels. This included eliminating 1,083 positions (30% workforce reduction) and zeroing out the R&D budget entirely. The final Congressional agreement, documented in the Senate Appropriations Committee's conference bill summary, provided $2.6 billion—a $273 million reduction from FY2025 but $222 million above the administration's request. Congress specifically added $20 million "to undo many of the administration's irresponsible cuts to critical positions" and $40 million to continue election security activities.
Cybersecurity division allocations reveal vulnerability management funding
While CVE program funding doesn't appear as a dedicated line item, CISA's budget justifications detail cybersecurity program allocations that encompass vulnerability-related work. The FY2025 budget request included:
- Continuous Diagnostics and Mitigation (CDM): $469.8 million
- Joint Collaborative Environment: $394 million
- National Risk Management Center: $139.6 million
- Infrastructure Security: $187 million
The FY2026 Trump proposal targeted these programs for significant cuts: $216 million (18%) reduction to the Cybersecurity Division overall, $30.8 million cut to vulnerability assessments specifically, and $97.4 million (73%) cut to the National Risk Management Center. The Joint Collaborative Environment faced a $36.5 million reduction.
Separately, CISA had provided $3.7 million in annual supplemental funding to NIST for NVD operations, which was paused in late 2023 amid broader budget pressures—contributing to the NVD backlog crisis that saw over 90% of new CVEs awaiting analysis by mid-2024.
Historical disclosure patterns: why these figures only emerged in crisis
CVE program funding has never been disclosed as a separate budget line item in DHS or CISA Congressional Budget Justifications. The program's costs are bundled within broader MITRE contracts and categorized under general cybersecurity operations. No GAO (Government Accountability Office) reports specifically audit CVE program funding or effectiveness as a standalone item.
This opacity created significant problems during the April 2025 funding crisis. CVE Board member Peter Allor noted that "the announcement by MITRE Corporation that Homeland Security and CISA were not renewing the contract came to many as a complete surprise," adding that "evidently this situation was known by the three parties for nearly a month." The lack of transparent budget tracking meant stakeholders had no visibility into funding continuity risks for critical infrastructure.
The contract figures that became public emerged from three sources: USAspending.gov federal contract database entries, FPDS (Federal Procurement Data System) records cited by journalists, and a GitHub repository (jgamblin/CostOfCVE) that analyzed USAspending.gov data to calculate a per-CVE cost of $664.01 based on 43,625 CVEs published during the contract period.
What remains unknown and uncertain
Several important figures remain undisclosed or uncertain:
The exact value of the 11-month April 2025 extension has not been officially confirmed. The $44 million estimate comes from industry experts rather than CISA documentation. CISA's Matt Hartman characterized the situation as "a contract administration issue that was resolved prior to a contract lapse" rather than a funding issue, without providing specific dollar amounts.
Long-term CVE funding beyond March 2026 remains undetermined. The extension runs only through that date, with no public commitment to continued government funding. The newly formed CVE Foundation, established by CVE Board members in response to the crisis, represents an effort to reduce dependence on a "single government sponsor" but has not disclosed its funding model.
Specific vulnerability management line items within CISA's budget—if they exist as discrete allocations—are not publicly broken out. The agency's budget structure groups these activities under broader cybersecurity operations categories.
Conclusion
The CVE program operates on approximately $29 million annually in documented CISA contract funding to MITRE, with CISA's total operating budget ranging from $2.6 billion (FY2026 enacted) to $2.873 billion (FY2024-2025). The $15-20 million placeholder estimate in my original research underestimates actual CVE funding by approximately 50%. However, this figure only became publicly verifiable through federal contract databases and crisis-driven disclosure—official budget documents do not itemize CVE program costs, representing a significant transparency gap for globally critical cybersecurity infrastructure.