Apple, like other technology companies, relies on the Common Vulnerability Exposure (CVE) program to identify and track security vulnerabilities in its software. With the federal government abruptly cutting off funding for CVE today, this critical cybersecurity resource now faces an uncertain future.
In response to the crisis, a coalition led by long-time CVE board members today announced the creation of the CVE Foundation, a non-profit organization dedicated to ensuring the continued operation of vulnerability identification systems.
"CVE's importance as a cornerstone of the global cybersecurity ecosystem cannot be underestimated," said Kent Landfield, an officer at the newly formed foundation. "CVEs around the world rely on CVE identifiers and data in their daily work—from security tools and advisories to threat intelligence and response. Without CVEs, defenders would be extremely disadvantaged in their efforts to combat global cyber threats."
The CVE program provides a standardized system for identifying and classifying security vulnerabilities in all software and hardware, including Apple's macOS, iOS, iPadOS, and other products. When security researchers discover a vulnerability, they are assigned a unique CVE identifier so that companies like Apple can coordinate patches and updates.
MITER is contracted by the U.S. Department of Homeland Security to manage the project. The company confirmed that government funding expired on April 16. According to Reuters, the expiration of the program may be related to the large-scale layoffs underway in the federal government, which are caused in part by the Department of Government Effectiveness (DOGE). The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which was affected by the layoffs, said it was "urgently working to mitigate the impact" as the sudden funding gap could disrupt global vulnerability management.
Security experts have warned that without CVE, cybersecurity efforts would face "complete chaos" as a common language for communicating vulnerabilities would effectively disappear. One researcher likened it to "suddenly deleting all dictionaries."
The newly formed CVE Foundation aims to transform the project into a dedicated non-profit model that does not rely on single government funding. Organizers of the foundation revealed that they have been preparing for this possibility for the past year.
"For the international cybersecurity community, this move represents an opportunity to establish governance mechanisms that reflect the global nature of today's threat landscape," the foundation said in the announcement.
Funding cuts also affect the related Common Weakness Enumeration (CWE) program, which helps companies like Apple discover potential security issues before they become vulnerabilities.
The CVE Foundation is expected to announce more details about its structure and funding plans in the coming days. Apple and other big tech companies will likely play an important role in supporting it as a critical component of cybersecurity infrastructure.