CVE programme expands roles

The system that gives software flaws their shared names is being reshaped on both sides of the Atlantic, with the United States and Europe widening who gets to assign, route and disclose vulnerability reports. (cisa.gov) Common Vulnerabilities and Exposures, usually shortened to CVE, is the catalog that assigns a standard identifier to a newly disclosed software weakness so vendors, defenders and governments are talking about the same bug. In September 2025, the Cybersecurity and Infrastructure Security Agency said its roadmap would move the program from a “growth era” to a “quality era” focused on trust, responsiveness and better data. (cisa.gov) After confusion in April 2025 about whether the program’s contract work might lapse, CISA said on April 16, 2025 that CVE remained “a priority” and that it had executed an option period on April 15 to avoid any break in service. Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, said separately that the issue was contract administration, not a funding shortfall. (cisa.gov 1) (cisa.gov 2) At the same time, the CVE program has been building rules for artificial intelligence flaws, a sign that model providers and other artificial intelligence companies are being drawn into the vulnerability system rather than treated as an edge case. CVE.org began a blog series on artificial intelligence-related vulnerabilities in July 2024 and followed with guidance on assigning CVE identifiers and publishing records for those cases. (cve.org) Europe has also moved up the chain. ENISA, the European Union Agency for Cybersecurity, said on November 20, 2025 that it had become a CVE Program Root, making it a central contact point for national authorities, Computer Security Incident Response Teams and partners within its mandate. (enisa.europa.eu) CVE.org’s partner listing now shows ENISA with three roles at once: Root, CVE Numbering Authority and Top-Level Root, placing it in the program’s highest coordination tier. A Root oversees other numbering authorities, while a Top-Level Root sits above Roots in the trust structure that governs who can issue identifiers and publish records. (cve.org) Those governance changes are landing as Europe turns disclosure into a legal duty. ENISA said the Network and Information Security 2 Directive required member states to adopt and publish a coordinated vulnerability disclosure policy by October 17, 2024. (enisa.europa.eu) The European Commission says the Cyber Resilience Act entered into force on December 10, 2024, with reporting obligations starting on September 11, 2026 and the main obligations applying from December 11, 2027. A separate Commission page says manufacturers must report actively exploited vulnerabilities and severe incidents affecting products with digital elements from September 11, 2026. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) ENISA says the Network and Information Security 2 Directive also tasks it with developing and maintaining a European Vulnerability Database, giving the European Union its own disclosure infrastructure alongside the global CVE system. That leaves vendors and researchers heading into late 2026 with more formal reporting routes, more institutions in the chain and less room for ad hoc handling of newly found flaws. (enisa.europa.eu)