“There’s no such thing as a free lunch.”
But for decades, cybersecurity has felt like one.
CVE: Not Just a Number, But a Map
CVE—Common Vulnerabilities and Exposures—is often mistaken for just another ID system.
But as Adam Shostack explains, its true value lies not in the number itself, but in its function as a stable knowledge concordance across disparate systems:
“The value of CVE is not the number, but its ability to reliably cross-reference tools, databases, and vendor patches.”
In essence, CVE is like the ISBN for cybersecurity. It allows tools, vendors, researchers, and patching systems to align with one shared reference.
A System We All Used, For Free
CVE has been maintained by MITRE, a U.S. government-funded nonprofit.
And yet, the entire global security ecosystem has depended on this system for free:
- Enterprises
- Governments
- Open source communities
- Security vendors
CVE has operated as a global public good, without international funding, and with most contributions from unpaid researchers.
The Collapse That Nearly Happened
In April 2025, MITRE’s government contract for CVE operations nearly expired.
A last-minute intervention from CISA granted an 11-month extension, but the future remains uncertain.
We narrowly avoided the collapse of the system that powers vulnerability coordination worldwide.
The structural issue is clear: CVE relies on a single nation’s funding, despite global usage. This concern has been highlighted in recent reports from Reuters, BleepingComputer, and The Register.
What If There Were a Security Tax?
Imagine this:
High-risk corporations contribute a small percentage of revenue to a public fund for security infrastructure.
This fund supports CVE-like systems, NGOs, bug bounty programs, and researcher compensation.
This idea is explored further in this article.
While this model is not yet implemented anywhere, it reflects a growing recognition:
- Free-riding on security infrastructure is unsustainable
- Public security systems require collective funding
- Contributors deserve compensation, not just credit
Further discourse in BankInfoSecurity and TechTarget shows a shift toward incentives and reframing cybersecurity as a shared cost burden.
It’s Time to Pay for What We’ve Been Using
CVE wasn’t truly free.
It ran on the unpaid labor of researchers, the infrastructure of nonprofits, and a single government’s budget.
Now, as that model falters, we need shared solutions:
- International funding models
- Industry co-funding
- Governmental cooperation
- Transparent compensation for contributors
Initiatives like Common Good Cyber are beginning to pave the way. Their proposed structures—joint funding mechanisms, federated fundraising, and accelerator hubs—were highlighted at RSA Conference 2025, aiming to produce a global, multilateral support system.
This also aligns with public-private models advocated by CSIS.
Security has felt like a free lunch.
But someone was always paying.
📌 TL;DR
- CVE is core public infrastructure for cybersecurity.
- It’s been used globally but funded locally.
- It nearly collapsed in 2025 due to expiring contracts.
- We must build funding mechanisms for global security commons.
The free lunch is over. We just didn’t notice who was footing the bill.