CVE turns into an archive. Hackers have already set a reminder.
CVE survives in a suspended state, just like the entire cybersecurity of the US.
Two Democratic Party representatives in Congress have demanded a thorough review of the functioning of the key Common Vulnerabilities and Exposures (CVE) program by the U.S. Government Accountability Office (GAO). The reason for this is the suspended flow of federal funding and potential threats to the entire cybersecurity ecosystem, which the system depends on.
Congressmen Benny Thompson and Zoe Lofgren sent a letter to the U.S. Comptroller General Eugene Dodaro. In the document, they express concern that the cessation of funding could paralyze the transmission of critically important cybersecurity threat information, upon which both the private sector and government agencies rely.
CVE program funding ended in April 2025. The situation was temporarily saved by the CISA agency, which allocated funds for 11 months. However, the stability of the program in the future remains in question. Against this backdrop, the congressmen called for an analysis of the effectiveness of all government initiatives supporting CVE and the National Vulnerability Database (NVD).
The letter particularly focuses on the interaction between various government agencies, including the Department of Homeland Security (which includes CISA), and the role of the National Institute of Standards and Technology (NIST), which is responsible for administering vulnerability databases. The authors of the letter emphasize that programs like CVE are a cornerstone in efforts to reduce cybersecurity risks globally. Without such systems for the timely detection and dissemination of vulnerability information, companies and government entities remain vulnerable to attacks.
Meanwhile, the situation at CISA is also far from stable. The agency has seen employee layoffs, including leadership. Several high-ranking officials have left the agency in recent months. These personnel losses coincided with a budget crisis: the Trump administration proposed large-scale cuts to the agency's funding.
The situation surrounding CVE is not just a technical issue but an indicator of the government's attitude toward cybersecurity in general. The preservation and stable functioning of this program depend not only on IT companies but also on the protection of the country's critical infrastructure. If budgetary disputes and management crises continue to threaten its existence, it could create a dangerous vacuum in the global vulnerability response system.
