The Day CVE Almost Died
On 16 April 2025, U.S. funding for MITRE’s Common Vulnerabilities and Exposures (CVE) catalog hit zero. An 11‑month rescue contract from CISA arrived at the eleventh hour, but the close call exposed a brittle single‑sponsor model. The immediate fix: two parallel efforts—the nonprofit CVE Foundation and Europe‑backed Global CVE (GCVE)—aim to decentralize governance. Meanwhile, attackers now weaponize fresh bugs in about five days, so defenders must pair CVE intel with fast, compensating‑control automation such as BlueRock’s Evidence of Vulnerability Coverage (EVC).