CVE 2026

As I mentioned earlier, funding for the Common Vulnerabilities and Exposures program was extended. The details:

“The U.S. Cybersecurity and Infrastructure Security Agency said that Mitre, which has run the CVE Program since its launch in 1999, can continue to do so until early March 2026. 

“This is a temporary solution. Clearly, the U.S. government wants to get rid of CISA paying for the CVE program. Someone else needs to seize the funding and governance reigns, and the opportunity to do so allows for creating a less U.S.-centric endeavor.”

If a new funding mechanism can ensure technical program continuity—while at the same time providing the $30 million business continuity by shielding the program from the chaotic whims of one country and one person—then this could be a long term solution.

The cybersecurity ecosystem has a little over 10 months to figure out how to fund the CVE program beginning in 2026.

Which means that nothing of substance will get done for the next 9 months. (How’s that TikTok sale going?)

Well, maybe North Korea will volunteer to fund the program…

(Imagen 3)