SAN FRANCISCO — The European Union wants to assist with and help modernize a cornerstone cyber cataloging program after a contracting scare last year prompted renewed discussions and concerns over how to sustain the vulnerability-tracking system relied upon by hundreds of thousands of security practitioners worldwide.
The Common Vulnerabilities and Exposures Program faced a contracting fiasco last spring when MITRE, the non-profit research giant that funds much of the program’s functions, warned of an imminent end to federal backing for the project. The matter was addressed within hours amid outcry from the cybersecurity community.
The EU wants to help “build upon” the foundation of the program and “the great work that has been done there,” Hans de Vries, the chief cybersecurity and operational officer for the European Union Agency for Cybersecurity, or ENISA, said Thursday at the RSAC Conference in California.
After the initial contracting issue, EU member states asked ENISA to explore ways to strengthen the CVE process, de Vries explained.
“We cannot build on one contract alone, so we have to strengthen it, and make sure that foundation, that basic mechanism — and it’s a huge program — but that mechanism stays, and stays to the core that we want to build on,” he said.
CVE provides a standardized methodology for identifying and cataloging publicly known cybersecurity vulnerabilities. Each flaw is assigned a unique identifier, designed to help security researchers, vendors and officials more effectively communicate about the same issue. It was first launched in 1999.
The remarks from de Vries are some of the first showing how European officials are weighing a more formal role in contributing to the CVE program, amid growing concerns that its long-term stability cannot rely on a sole U.S. government contract.
Congressional staffers have also drafted legislation to codify the CVE program and address how the Cybersecurity and Infrastructure Security Agency would take a more active oversight role in its management, said Moira Bergin, who leads cyber policy work for the Democrat side of the House Homeland Security Committee.
“While CISA is certainly authorized to execute this program, it’s not specifically tasked with doing it, which, as an oversight committee, makes it harder for us to hold an agency accountable for executing a task,” she said. “And it doesn’t give any of the stakeholders any expectation of what they can expect from the program and hold it accountable for.”
A newer version of the program managed under CISA should also “endure political cycles,” said Mike McLaughlin, a shareholder and Cybersecurity and Data Privacy Practice Group co-lead at Buchanan Ingersoll & Rooney PC, arguing that if CVE is housed in CISA but is perceived as politicized or fragile, other regions will fragment off and force competing programs to emerge.
Bergin said that, in the draft text, staffers are seeking to “inoculate the [CVE] board membership from political cycles” so those risks are diminished.
The discussion also came amid growing recognition among industry practitioners that AI has now become a core tool in hackers’ arsenals that can accelerate the speed and scale of cyberattacks.
On a regular basis, some people “seem to think that CVE records should be just read by humans,” said Bob Lord, a former Cybersecurity and Infrastructure Security Agency official who helped lead the agency’s Secure by Design initiative.
In the CVE program, a vulnerability record is created when a flaw is first published, while later “enrichment” can add details such as severity and exploitability. But as cyberattacks now move at machine speed, many experts argue those records need to be far more complete upfront, because waiting to fill in the gaps can leave defenders exposed.
“While there certainly is a component where humans should be able to go in and look at CVE and understand what’s in there, what we really need to do is start making sure that we have high-quality records,” said Lord, referring to individual vulnerability entries. “Today, we’re going to really need to talk a lot more about record quality at the time of issuance, not enrichment later, but at the time of issuance.”
A CISA spokesperson told Nextgov/FCW that a “broad internal contracting review caused a brief renewal delay in April 2025, but operations continued without disruption and MITRE was ultimately retained as the program operator.” CISA and the Department of Homeland Security have since “taken proactive contracting steps to maintain MITRE’s support, ensure stable global vulnerability tracking and expand its usage,” the spokesperson added.
“MITRE, in support of CISA, is committed to CVE as a critical global resource,” Jordan Graham, a company spokesperson said.
Today, everyone uses CVE identifiers as a common vernacular, said McLaughlin. If it disappears, vendors and defenders can’t easily tell if they’re talking about the same bug, and regulators and service providers lose a shared reference system.
“I think if the program were to go away, you’d have fragmentation, which leads to inefficiency, which leads to less security,” Bergin said. “And when we make the case to our members that this is something that they should take their time with, that’s what we say: fragmentation, inefficiency, less security — it’s that simple.”
