BRIAN Martin argues that MITRE has mismanaged the CVE program for decades and that the costs dwarf the benefits, citing funding figures rising from almost $5 million between 2004 and 2005 to a staggering $29 million in 2024/2025, with MITRE allegedly receiving $664.01 for each of the 43,625 CVEs published during the contract period.
He notes that the CVE project began with 321 records in 1999, at a time when more than 3,700 vulnerabilities were known, and he questions whether an FFRDC is still the right model in 2026 given higher‑performing commercial alternatives. The piece draws on findings that researchers wait days to receive a CVE ID assignment, and it cites the Government Accountability Office as a potential body to investigate whether MITRE remains fit for purpose as an FFRDC running a vulnerability database.
According to the government‑run Defense Acquisition University, an FFRDC’s relationship with its sponsor must be adaptable and cost‑effective, criteria he argues MITRE has failed to meet. It also references a 2024 policy update on cloud/SaaS vulnerability assignments, suggesting the transition to private sector‑led management may better serve the public interest. The author questions whether a non‑government, privately run VDB could deliver superior results at a fraction of the cost. 27 January 2026.