- Key insight: Artificial intelligence tools are flooding the global vulnerability database with new software flaws, overwhelming the system and drastically reducing data quality.
- What’s at stake: A collapse or fragmentation of the CVE program would cripple critical defense and compliance operations for U.S. banking organizations.
- Expert quote: The sudden panic over the system’s near-shutdown served as a “fire drill” that caught the attention of U.S. lawmakers, according to House Homeland Security Subcommittee Director Moira Bergin.
Overview bullets generated by AI with editorial review
Processing Content
For 25 years, the global cybersecurity community has relied on the Common Vulnerabilities and Exposures (CVE) program as the definitive standard to identify and catalog software weaknesses.
Effectively every software and firmware maker has disclosed a vulnerability through CVE. NCR and Diebold Nixdorf have both disclosed ATM vulnerabilities in CVE. Google, Microsoft, Cisco, Progress Software and SolarWinds have all listed their vulnerabilities in the database.
If you can name a software vulnerability, it is almost certainly in CVE.
Now, artificial intelligence-driven threats, outdated infrastructure and recent political funding battles threaten to fracture this foundational system, creating severe operational and compliance risks for every economic sector, including banking.
At the 2026 RSAC Conference this week, experts across multiple panels warned that the database is buckling under these new pressures.
The system, maintained by federally funded R&D nonprofit Mitre (stylized MITRE), remains the Rosetta Stone of coordinating vulnerability data globally. But, it is also “weirdly fragile,” according to a Tuesday presentation from a panel of technology company security leaders.
Despite its deep integration into global legal and regulatory frameworks, the vulnerability index “is definitely not too big to fail,” the same panelists warned in the panel’s slide deck.
For U.S. banking organizations, a collapse or fragmentation of the catalog would hamstring critical defense and compliance operations, adding extremely costly and potentially ruinous overhead to the time-sensitive task of patching known vulnerabilities.
Patch management is critical enough to bank cybersecurity that the Federal Deposit Insurance Corp. requires regulated institutions to maintain effective software patch management programs.
A breakdown of the program would severely impact how financial institutions coordinate with their third-party service providers and regulators.
The immediate consequence of a system collapse would be a loss of synchronization, according to Michael McLaughlin, a cybersecurity attorney at Buchanan Ingersoll & Rooney. The loss of a common vernacular would leave organizations unable to effectively communicate about software flaws and respond appropriately, McLaughlin said during a Thursday panel at RSAC.
The April 2025 kerfuffle: A near-miss for critical infrastructure
The fragility of the vulnerability catalog became a public reality on April 15, 2025, when Mitre, the company that operates the index, sent an email to its advisory board members warning that government funding had dried up and operations would cease the next day.
The potential shutdown of CVE “is rightly raising alarms across the cybersecurity community,” Jen Easterly wrote on LinkedIn at the time. Easterly is the CEO of RSAC. Under Joe Biden, she served as the head of the Cybersecurity Infrastructure Security Agency, which provides the CVE program’s funding.
In her post, Easterly called CVE “one of the most important pillars of modern cybersecurity.”
Katie Noble, a director at Intel and a board member for the CVE program, noted during a panel at RSAC on Tuesday that the board was entirely unaware of any contractual disputes between the federal government and the operating company.
“We were caught unaware,” Noble said. “Before we knew it, the kerfuffle was heard around the world.”
A shutdown would have severely damaged the defense capabilities of financial institutions and their third-party service providers.
Expiration of the contract would lead to a “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” according to an April 2025 letter to the board from a vice president at the operating company.
CISA ultimately stepped in at the last minute and extended the operating contract by 11 months.
Still, the sudden panic served as a “fire drill” that caught the attention of U.S. lawmakers, according to an RSCAC panel presentation by Moira Bergin, a director for the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
The AI-driven vulnerability surge and declining submission quality
Artificial intelligence tools act as a massive force multiplier for both attackers and defenders, identifying software flaws at a rate that overwhelms current tracking systems.
On the software development platform GitHub, project maintainers received roughly 5,200 private vulnerability reports in the first 24 days of March, according to Madison Ficorilli, a senior security manager at the company who spoke at RSAC. That is an eightfold increase compared to historical norms.
Ficorilli compared the AI boom to the advent of “fuzzing,” an automated software testing method, which similarly flooded security teams with new vulnerability discoveries.
While the quantity of vulnerability reports skyrockets, the quality of the data is plummeting, according to Ficorilli, creating severe bottlenecks for the security and vendor teams that banks rely on.
Curating data from the vulnerability program now takes five to eight times longer than it used to because of poor information quality, according to Ficorilli.
“I think that is an existential crisis,” she said of the declining information quality.
The root of this quality crisis lies in how the program accepts data.
The vulnerability database’s framework is not “opinionated” enough about how submitters input information, allowing people to enter arbitrary text that breaks the automated scripts used by network defenders, according to Bob Lord, a member of the program’s board.
To fix this and empower organizations to operate at “machine speed,” Lord argued the program must enforce strict data quality standards based on “completeness, accuracy and timeliness” at the exact moment a vulnerability is issued.
Modernization vs. bureaucracy: The need for machine-speed defense
The window between the discovery of a software flaw and an active attack has compressed dramatically. The average time from vulnerability identification to an active exploit has shrunk from months or years down to days or hours, according to Noble.
She warned Tuesday that the database currently operates at the speed of a “horse” when the industry needs a “rocket ship” to manage real-life threats.
Bureaucracy severely hampers this necessary evolution. Noble expressed frustration with the pace of the program’s technical modernization, noting that it took more than three years just to build a new website.
For banks, these delays complicate strict regulatory obligations. Under a joint rule (named SR 22-4) from the Office of the Comptroller of the Currency, the Federal Reserve Board and FDIC, banking organizations must report significant computer-security incidents within 36 hours.
To fix this disconnect and allow network defenders to move at “machine speed,” the program must enforce strict data quality standards at the exact moment a vulnerability is issued, according to Lord.
The database needs strongly typed, machine-readable records that integrate seamlessly into the automated defensive tools that organizations use, a necessary shift from the current system that allows arbitrary text, Lord said.
Lord co-authored an October whitepaper on how to execute these proposed improvements. In it, he and his two other co-authors suggested the program establish baseline minimum requirements for what constitutes a “viable vulnerability record.”
The program would then look at the entities authorized to contribute to the CVE database (these entities are known as CVE Numbering Authorities) and measure their performance against those norms to ensure ongoing compliance.
International pressures and the threat of fragmentation
Europe has long relied and built on CVE, but the bloc’s regulators are now moving forward rapidly with their own requirements to track software flaws, raising the prospect of a fractured global system.
Under the European Union’s Cyber Resilience Act, officials must create and maintain a European Vulnerability Database, according to Hans De Vries, a former director of the National Cybersecurity Center in the Netherlands.
The sudden contracting issues with the U.S.-funded program accelerated Europe’s timeline building out this database, De Vries said during the Thursday panel. European member states realized they “cannot build on one contract alone,” according to De Vries.
As such, the month after the CVE funding fiasco, the E.U.’s cybersecurity agency announced the launch of the database, which automatically imports data from CVE.
Other entities are pushing even further away from the centralized U.S. system. A recently created catalog known as the Global CVE Allocation System allows organizations to create new vulnerability records entirely independently, according to a recent report from the Institute for Security and Technology.
For multinational banks, tracking software flaws across a decentralized system of multiple databases would massively increase compliance costs and operational risk, especially if the systems are not interoperable.
A collapse of the central program would cause “fragmentation, which leads to inefficiency, which leads to less security,” according to Bergin, the House Homeland Security subcommittee director.
Congressional intervention and future stewardship
The near-collapse of the vulnerability index last year caught the attention of U.S. lawmakers, who are now drafting legislation to stabilize the system.
Initially, congressional staff intended the legislation to be a “light lift” simply to secure funding, according to Bergin.
However, after hearing from experts who rely on the catalog, the legislative effort expanded into a broader push to empower the program’s advisory board and give international partners a formal voice in governance, Bergin said during a Tuesday panel.
Independent of legislative efforts, a coalition of cybersecurity veterans launched a new nonprofit entity in April 2025 to decouple the database from its strict reliance on U.S. government funding.
Because the current operating contractor operates under rules that restrict it to accepting federal funds, diversifying the financial support for the program is “nearly impossible,” according to an April 2025 statement from the newly formed CVE Foundation.
The new foundation seeks to build a community-driven initiative backed by a diversified mix of grants, sponsorships and corporate donations, in hopes of warding off what it called the “existential risk” that another funding lapse would cause.
For financial institutions, securing the future of this critical infrastructure may require direct financial investment.
During a Thursday panel, one RSAC attendee, Greg Wall, suggested the industry adopt a funding approach similar to the Payment Card Industry security standards, where major corporate beneficiaries directly fund the framework.
Rather than relying on a slow-moving government bureaucracy, large enterprises need to “put their money where their mouth is” and fund the global operation of the vulnerability catalog themselves, Wall said.