Cybersecurity, much like climate change, is an inherently global challenge demanding global solutions. The internet’s interconnected nature ensures that vulnerabilities discovered in one corner of the digital world can rapidly ripple outwards, affecting systems and users worldwide. Software vulnerabilities, the digital equivalent of industrial pollution, are an inevitable byproduct of software development. With modern software often comprising millions of lines of code, bugs and potential vulnerabilities are statistically unavoidable. Given the interconnected and interdependent character of current cyber-space, one vulnerability, say in Microsoft Windows, potentially affects all 1.5 Billion Windows installations worldwide. The infamous Log4J vulnerability (CVE-2021-44228), discovered a few years ago, allegedly affected three billion devices worldwide and roughly 93% of the world’s cloud infrastructure: in the US, China, the EU, everywhere.

Vulnerability Management

Managing these vulnerabilities effectively is paramount to maintaining a secure digital ecosystem. In 2024, 40300 unique vulnerabilities were discovered by security researchers and ethical hackers, that is around 827 vulnerabilities per week. Coordinated Vulnerability Disclosure (CVD) processes play a vital role, allowing researchers to report their findings to vendors or national cybersecurity agencies. Vendors, in turn, can develop patches to fix these vulnerabilities and distribute software updates. This explains the frequent software updates we encounter today. Network administrators bear the responsibility of constantly monitoring their environments for new vulnerabilities and applying patches swiftly. Even small businesses typically employ between 20 and 172 different software solutions in their environment, making vulnerability tracking and management a complex task.

A crucial aspect of vulnerability management is having a standardized, common naming scheme for vulnerabilities. Without it, chaos would ensue. If a vendor like Microsoft patches 20 different vulnerabilities without clear, unique identifiers, administrators would struggle to track what has been patched and what remains vulnerable. Was it this buffer overflow here or this remote code execution there? This is where the Common Vulnerabilities and Exposures (CVE) system and the US National Vulnerability Database (US NVD) come into play. They provide a common point of reference, enabling defenders to clearly communicate and manage vulnerabilities. The US NVD catalogs and classifies vulnerabilities, assigning them unique CVE identifiers, providing detailed descriptions, calculating severity scores (using the Common Vulnerability Scoring System or CVSS), listing affected products (using Common Platform Enumeration or CPE), and offering mitigation advisories.

The Importance of the US National Vulnerability Database

The importance of the NVD cannot be overstated. Many critical cybersecurity tasks hinge on its availability and accuracy. Vulnerability databases are used in risk assessment and management to develop effective cyber defense strategies for organizations. They are essential for government compliance and auditing, ensuring that security measures are implemented and effective. Without the US NVD, administrators would struggle to prioritize patching efforts, potentially leaving critical vulnerabilities unaddressed. Many cybersecurity tools ingest and synchronize data directly from the US NVD daily to stay updated on newly discovered vulnerabilities, informing risk assessments and patch management processes. Vulnerability scanners rely on the US NVD to identify vulnerabilities in networks. Automated cyber defense technologies, such as Security Information and Event Management (SIEM) systems and Intrusion Detection/Prevention Systems (IDPS) and Endpoint Detection and Response (EDR), depend on the US NVD for reliable vulnerability detection. Without the NVD, security operations would be significantly slowed down and complicated.

This is bad news in the high-speed security environment we live in. The average time to exploit between public disclosure of a vulnerability in the US NVD and threat actors exploiting it in cyber-attacks shrunk to around 3–5 days in the last years. In other words, if network defenders are too slow to patch their stuff, they will get hacked quickly. This problem is already real: since there are so many vulnerabilities and given the understaffed and underfunded nature of the US NVD, its staff already had a hard time of cataloging them all, creating a huge backlog of uncataloged vulnerabilities. As of January 2025, the NVD backlog was estimated at around 23,000 CVE records awaiting full processing.

In the light of this, it is a tremendously stupid idea of the current Trump regime to cut funding for the US NVD, as is currently floated within the news sphere. With everything Trump, tomorrow the situation might look different. But what we know so far is that as of April 16, 2025, the US government funding for the MITRE Corporation to operate and maintain the US National Vulnerability Database appears to expire after 25 years of funding. The funding was provided through a contract with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and its termination raises concerns about the future of this critical cybersecurity resource. This funding cut poses a severe threat to global cyber-security. MITRE has warned of “deterioration of national vulnerability databases and advisories, slowed vendor reaction, limited response operations, and all manner of critical infrastructure” if service is disrupted.

National Alternatives?

The NVD is the most comprehensive and standardized repository of publicly disclosed vulnerabilities. European governments, businesses, and security vendors have long relied on the US NVD as the primary, authoritative source for structured vulnerability data. The NVD’s data formats, metrics, and enrichment processes have become de facto standards in European cybersecurity operations, enabling automation and interoperability across borders and sectors. The US funding cut, therefore, harms not only the US but also Europe, while potentially benefiting adversaries like China.

The European Union is developing its own European Vulnerability Database (EUVD) under the NIS2 Directive and the Cyber Resilience Act (CRA). While the EUVD aims to mirror the NVD’s functions with a European focus, it is not yet fully operational. To this date, the US NVD remains the primary source of vulnerability data for most organizations. China, meanwhile, created its own national vulnerability management infrastructure, the China National Vulnerability Database (CNNVD), which proactively seeks out vulnerabilities and mandates rapid reporting of vulnerabilities to state authorities. China exploits this ecosystem for unilateral gain. It gives China a potential advantage in cyber operations, as its intelligence agencies may have early access to vulnerabilities before vendors can develop patches and create defenses. Russia also maintains its own Federal Service for Technical and Export Control (FSTEC) database and has stringent vulnerability reporting requirements for ethical hackers to its intelligence agencies.

Fragmentation of global cyber-security commons

We are witnessing the nationalization of the global vulnerability ecosystem. Instead of a unified global common, we are moving toward national or regional databases. The US has lost lots of trust in Europe, fueling initiatives for EU tech sovereignty. China and Russia have long prioritized national control over vulnerability information. This fragmentation means that many vulnerabilities may not be publicly disclosed, hindering global defense efforts. States may exploit vulnerabilities unilaterally, further eroding the global cybersecurity commons.

The US decision to cut NVD funding is short-sighted and detrimental. It weakens global cybersecurity, undermines international cooperation, and creates opportunities for adversaries. Maintaining a robust, globally accessible vulnerability database is essential for protecting our interconnected world. The NVD must be adequately funded and supported to ensure a secure and resilient digital future. The alternative would be a proposed non-profit approach, but I remain doubtful if it can provide a trusted alternative with the same reach given the urgency of the situation.

By Matthias Schulze

Update 17.04.2025

In the eleventh hour, CISA was able to secure funding for the US NVD. In a statement they say: “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” https://www.theregister.com/2025/04/16/cve_program_funding_save/