Cybersecurity is built on shared infrastructure.
Some of that infrastructure is visible, like firewalls, scanners, and SIEMs. But some of it lives in the background, quietly connecting everything else. The CVE system is one of those invisible backbones. It gives us a common language to talk about vulnerabilities, a baseline for tools to work together, and a foundation for coordinated defence. When something like that stumbles, it sends ripples through the entire industry. Last week, CVE stumbled. And it’s time we talked about what that means, what’s broken, and what we need to fix before it breaks for good.
Last week, funding for the CVE program, the backbone of vulnerability identification around the world, nearly disappeared. MITRE, which manages CVE, announced that its funding had expired, and without an urgent intervention, new vulnerability identifiers would no longer be assigned.
CISA stepped in with emergency funding. That bought us 11 months.
But here’s the uncomfortable truth: we’re not in the clear. CISA itself is under budget pressure, and there’s no guarantee that support for CVE will continue after the current extension. Depending on how U.S. politics go, this entire crisis could come roaring back sooner than expected. The stopgap is only a temporary solution.
While not every cybersecurity process or tool strictly depends on CVE, it remains the central reference point for how most of the world coordinates vulnerability tracking. CVE identifiers are embedded in scanners, patch management systems, exploit frameworks, compliance tools, and security advisories. Even when organisations use internal databases or proprietary systems, they often map back to CVE IDs for correlation.
The loss or disruption of CVE wouldn’t halt all vulnerability management, but it would break many of the links that help tools, teams, and communities speak the same language. If CVE hiccups, the ecosystem shakes.
This isn’t just an American issue. CVE is baked into global security infrastructure. It’s the standard.
Which is why this near-miss should have everyone paying attention.
First, let’s not panic. The world existed before CVE. Vulnerabilities were tracked through mailing lists, security advisories, and independent databases.
If CVE disappeared tomorrow, those with resources would patch together alternatives. Open source communities and vendors alike would spin up identifiers, adopt existing secondary databases, or build new standards. In fact, some of that is already happening. The near-defunding spurred renewed interest in decentralisation and competing systems.
But there is a catch. Even if replacement systems emerge, they won’t be instant, they won’t be interoperable, and for a time, the world will have fragmented, inconsistent, and incomplete vulnerability tracking. That means slower response, more confusion, and greater risk.
The fallout wouldn’t just be technical. It would be organisational.
Compliance programs. Risk models. Procurement processes. All rely on CVE.
The truth is, the CVE system had deep cracks long before this funding cliff. Security veterans have been sounding the alarm for over a decade.
In the Extended Vulnerability Community discord server, which you can join here, Jericho, a cybersecurity social media staple, linked to talks previously given at various conferences about the issues with CVE. You can view slides for those talks, and others, here.
To summarise some of the issues that Jericho points out:
Meanwhile, everything from public policy to product comparisons relies on CVE data, often without understanding these caveats.
Vulnerability databases are the foundation of cybersecurity. But the foundations are less than solid.
Arachne Digital’s focus is on cyber threat intelligence (CTI) and threat-informed defence. Understanding how hackers hack and planning your defences accordingly can help improve your organisation’s security. Having CTI doesn’t make us, or you for that matter, immune to the problems above, but it does mean we look at vulnerabilities a little differently.
We care less about the ID and more about the context, such as who’s exploiting it, how, and against whom. Mapping vulnerabilities to real-world attacker behaviour helps teams prioritise even when the database is incomplete or flawed.
That’s not a fix for the system. But it’s a way to operate despite its shortcomings.
The near-collapse of CVE funding should make it clear that centralising critical infrastructure into a single point of failure is risky. We’ve seen this movie before in other domains, whether it’s DNS, certificate authorities, or cloud hosting. Monocultures might be efficient, but they’re brittle. If we want long-term resilience, we need decentralisation, not just as a fallback, but as a design principle.
We don’t need one global monolithic vulnerability database. We need:
And above all, we need resilience. A single point of failure for global vulnerability tracking is a risk in itself.
Here’s what needs to happen:
Arachne Digital believes in better defences come from good CTI, open source tools, and shared infrastructure. We’re committed to being part of the solution, but no one group can fix this alone.
Solving this doesn’t fall on one entity. Governments must fund and legislate long-term support for shared security infrastructure. Vendors need to publish vulnerability information more transparently and support open standards. Researchers should be empowered to contribute without facing legal threats. And the security community at large, from startups to nonprofits, should see vulnerability tracking as shared civic infrastructure, not just a commercial feature. If we treat VDBs like a commons, they’ll serve us like one.
Encouragingly, some in the community are already moving. We’re seeing open source initiatives, distributed identifier experiments, and new tooling emerge, not to replace CVE out of spite, but to build redundancy, transparency, and innovation into a system that desperately needs it. These efforts deserve real support, funding, adoption, and collaboration, not just when CVE falters, but now, when we still have time to build something stronger in parallel.
The story of CVE isn’t just about a funding crisis, it’s about the fragile systems we’ve come to rely on, and the urgent need to rethink how we manage risk at a global scale. This is a moment to reflect, yes, but more importantly, it’s a moment to act. We can’t afford to treat vulnerability management as background noise anymore. It’s infrastructure. It’s strategic. And it’s time we treated it that way.
“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.
Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”
Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.
This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.
Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.