The industry’s beloved CVE program is due for a change

Like many people in their mid-twenties, the Common Vulnerabilities and Exposures (CVE) program, a cornerstone of the cybersecurity industry, is having a quarter-life crisis.

At RSAC 2026, CVE board members voiced their concerns about the longevity of the 26-year-old vulnerability catalog program, which is sponsored by CISA and managed by the MITRE Corporation, as it faces financial and administrative hurdles.

Uphill battle. Katie Noble, director of product security incident response team (PSIRT) and bug bounty at Intel, told the audience that funding remains a large issue for the CVE program, along with the “human glue” holding it together. Last April, the cybersecurity industry erupted when federal funding for the CVE program almost expired; after that, CISA extended its contract for another 11 months.

“The board, we’ve tried for years to highlight issues, and sometimes they get through and sometimes they don’t,” Noble said. “I don’t think that we can afford to continue at the pace with the tools that we currently have in order to make real progress. I think we’re just going to be left in the dust.”

Lisa Olson, principal security program manager at Microsoft, said bureaucracy is another issue impacting the program, adding it takes “forever” to get anything done.

“Either we can do this at scale as an industry together or we can’t,” Olson said. “If we can’t, then CVE will not prevail. It will not survive if we can’t grow it bigger and better and faster.”

The current volume of CVEs is another pain point for the organization, as AI enables faster code production while speeding cybersecurity pros’ ability to find new vulnerabilities. The number of vulnerability reports on GitHub, for example, increased 224% in the past three months compared to the prior three months, according to GitHub Senior Security Manager Madison Ficorilli.

“Just the numbers that I’ve seen over the last three months specifically are like nothing I have personally seen before in vulnerability management,” Ficorilli said during the panel, adding that the quality of CVEs has also diminished.

Due for a change. While Noble described the CVE program as “the oxygen that we breathe” in cybersecurity defense, she acknowledged that the project is due for an update to better serve the industry.

“The community is going to have to come together in order to build a better program,” Noble said. “I’d love for CVE to be it, but I also don’t want to exclude the possibility that we need to look back at the goal of the CVE program, which is to identify and catalog vulnerabilities and create a universal language to be able to discuss these things, and there are many ways to do that that we need to start considering.”