For more than 25-years, the Common Vulnerabilities and Exposures (CVE) program has been a cornerstone to software vulnerability management worldwide. Due to recent administration changes and funding challenges there are concerns around the program's future. 

These concerns have drawn in more people, more organizations, and more voices who are committed to seeking alternatives to CVE or modifying the current program to ensure CVE remains a viable and effective standard. It is a topic that has sparked discussion among stakeholders across various industries to the point of drawing congressional interest. 

In June, Mississippi Rep. Bennie Thompson from the Homeland Security Committee and California Rep. Zoe Lofgren from the Science and Technology panel called on the Government Accountability Office to assess the reliance on, efficiency, and effectiveness of the CVE program and National Vulnerability Database (NVD). 

Accordingly, the Center for Cybersecurity Policy and Law felt the need to start a dialogue about the future of CVE. This paper provides background for those just entering the conversation then starts a discussion about what questions new proposals should answer. The purpose of this paper is not to identify a solution but to provide a useful framework for those who are. 

This paper should serve as a reminder to understand and define challenges with the CVE program before seeking solutions — because these challenges are universal from the user and CVE Board perspective. 

The CVE program is crucial to supporting critical infrastructure, responding to cyber incidents quickly, and preserving international relationships. Any modifications to the program should unite the cybersecurity community, not build competition that will tear apart 25 years of standardization. The paper encourages thoughtful discussion on how to move the CVE program forward without fragmenting the cybersecurity community and vulnerability landscape.