The global cybersecurity community has closely followed recent developments regarding the future of the Common Vulnerabilities and Exposures (CVE) Program — a critical global resource that has been operated under U.S. government funding for the past 25 years. After a period of uncertainty and speculation surrounding the potential end of federal support, it now appears that the U.S. government will continue funding the program.
The formal establishment of the CVE Foundation, a nonprofit initiative designed to support and evolve the program’s mission, marks a significant milestone. While the continuity of federal funding provides welcome stability, recent events have highlighted the need for proactive planning and resilience across the cybersecurity ecosystem.
Anticipating the Shift — and Preparing Proactively
Discussions around the long-term sustainability, neutrality, and evolution of the CVE program have been ongoing within the cybersecurity community. At VulnCon last week, a key industry event where security professionals gathered to discuss the future of vulnerability disclosure and coordination, many expected definitive clarity regarding the program’s future. However, that clarity was not fully achieved, and a degree of uncertainty persisted in the days that followed.
At Nozomi Networks, we’ve been preparing for this moment for quite some time. We anticipated the possibility of change well in advance and have taken concrete steps over the years to ensure continuity, resilience, and reliability in our vulnerability intelligence operations.
Ensuring Continuity and Confidence for Our Customers
Below, we outline the key areas in which our approach has evolved to anticipate disruption, maintain continuity, and deliver actionable insight regardless of external uncertainty:
Direct Ingestion from Trusted Vendors
Our Vulnerability Assessment team has, for years, prioritized direct ingestion of critical vulnerabilities from trusted vendors. This strategy originated in response to longstanding delays in NVD’s enrichment process and has proven vital in minimizing latency and ensuring timely visibility, with or without CVE identifiers.
Expanding Beyond CVE Identifiers
Recognizing the limitations of the current CVE structure, we’ve enhanced our systems and products to support and track non-CVE vulnerability identifiers. This enables us to maintain comprehensive coverage even when vulnerabilities lack official designation, helping to close potential blind spots in our customers’ threat landscapes.
Diversified, Multi-Source Intelligence
Our data ingestion pipeline is purposefully redundant and resilient, incorporating a wide spectrum of sources, including:
- CISA Vulnrichment: Enriches CVE data with context like CVSS scores, exploitability, affected CWE types, and real-world exploitation data (e.g., KEV list), helping prioritize threats more effectively.
- Strategic intelligence from Mandiant: Brings in expert-driven threat insights and early warnings from industry leaders known for their frontline incident response and threat intel work. These insights are made available to our customers through the Nozomi Threat Intelligence Expansion Pack, powered by Mandiant, as part of our ongoing partnership.
- NVD data overrides: Supplements or corrects gaps in the National Vulnerability Database, especially useful given recent delays in official analysis and publication.
- A combination of public and proprietary data feeds: Ensures comprehensive coverage by merging community-maintained sources with exclusive insights from our own research and partner collaborations.
This diversity ensures our coverage remains broad and accurate, regardless of shifts in the CVE ecosystem.
Real-Time Monitoring and Responsive Adaptation
We are actively monitoring developments from the newly formed CVE Foundation. Our teams are prepared to adapt both technically and operationally to the evolving governance structure — ensuring seamless integration and continuous alignment with the wider security community.
Collaborating with the Community to Shape What’s Next
At Nozomi Networks, we believe that effective vulnerability management is a collective responsibility. Transparency, collaboration, and adaptability are at the heart of our approach.
The transition to a nonprofit-led CVE structure presents new challenges but also opportunities to foster a more inclusive, community-driven model. While current developments indicate a continuation of federal support, we remain attentive to the broader evolution of the program. Should a transition of stewardship occur in the future, we are well-positioned to adapt and contribute constructively to that shift as well — helping shape a more resilient and collaborative future for vulnerability intelligence.
Looking Ahead
While the U.S. government’s continued support for the CVE Program is welcome news, the recent period of uncertainty served as a powerful reminder of the importance of forward-thinking and operational resilience. Whether the program remains under federal stewardship or transitions to alternative models in the future, we are prepared to adapt seamlessly and continue delivering robust vulnerability intelligence.
We will continue to share updates as the CVE Foundation evolves. In the meantime, Nozomi Networks remains unwavering in our mission: to deliver high-integrity threat intelligence without disruption.
