Most users of technology don’t have to consciously think about security vulnerabilities on their most-used devices, including Android-based products, very often. As long as you update your phone as soon as new security patches are available, you’re usually covered. However, there’s an intricate government-supported program operating to make that all possible, and it almost went dark today.
After roughly 24 hours of uncertainty, the U.S. Cybersecurity and Infrastructure Agency (CISA) announced that it would continue funding the Common Vulnerabilities and Exposures (CVE) on the day its previous contract was set to expire. Today, April 16, a spokesperson for the CISA told The Verge that the agency “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
But it went down to the wire in a move that could’ve sent the entire globe into a tech security nightmare.
It all has to do with the CVE program, which identifies and tracks security issues in public view, from the point a potential problem is identified to the time when a proper fix is issued. It has nearly 500 partners that include security researchers, open-source developers, and major companies — including big ones like Google, Microsoft, and Apple.
If the CVE program sounds familiar, that’s probably because you’ve seen a CVE code mentioned in an article (like one of the many CVE-related ones on Android Central) or the release notes of an update. They’re also a major part of monthly releases on the Android Security Bulletin. These codes, like CVE-2024-53104, start with CVE followed by the year and a number, and create a universal database to track security flaws across devices, platforms, and companies.
The CVE program has been active for 25 years, beginning in 1999. It has become invaluable to the security community, serving as a universal way for researchers, developers, companies, and the public to work together to discover and patch crucial vulnerabilities. More importantly, it publicly states whether a vulnerability is believed to have been actively exploited by bad actors.
Leading security researchers have pointed out the consequences of the CVE program shutting down, like Lukasz Olejnik on X (formerly Twitter).
“The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability,” wrote Olejnik, a scholar with advanced degrees in computer science and information technology law with specializations in privacy. “Total chaos, and a sudden weakening of cybersecurity across the board.”
The crisis has been avoided… for now?
Luckily, it appears that the crisis has been avoided, as the federal government will continue to fund the CVE program for at least the near future. However, the decision coming down to the wire as the Trump administration slashes federal funding across the board puts the CVE program in a more uncertain position now than at any point in its 25-year history.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” the spokesperson said in a statement to The Verge. “We appreciate our partners’ and stakeholders’ patience.”
But that final green light didn’t come quick enough, as the security world already started making plans to keep the CVE program up and running — even without federal funding. CVE board members created the CVE Foundation, a nonprofit planned for in secret for the past year that would ensure the CVE mission continues.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the CVE Foundation, in a press release. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The foundation explains that it is concerned that having a single government sponsor could create “a single point of failure in the vulnerability management ecosystem.”
The CVE program could be changing as we know it
The CVE program is a critical part of Android security, and it should be relevant to every single person who touches an Android-based device. Although government funding has been acquired for now, the moves that have been set in motion by the last-minute decision may not be reversed. The CVE Foundation is here, and it might be here to stay.
There’s no word on whether the CVE Foundation will continue to operate now that the CVE program has retained U.S. government funding, but the foundation said more information will be released “over the coming days.” The immediate U.S. government funding doesn’t solve the long-term problem the CVE Foundation has identified — the possibility of having a single point of failure — so there still may be a reason for it to exist.
Regardless of how this all plays out, the decision to fund the CVE program should’ve never come this close to ending a crucial global security program. Most of us have the luxury to not think about device security that often, and it’s programs like the CVE that allow us that privilege.