Latest update
Future secured for at least 11 months
In a development that has sent shockwaves through the cybersecurity community, MITRE Corporation announced that its 25-year partnership with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) program will expire at midnight tonight. This program, which has served as the backbone of vulnerability tracking and management across the global cybersecurity ecosystem, now faces an uncertain future as government funding comes to an abrupt halt.
https://www.bleepingcomputer.com/news/security/mitre-warns-that-funding-for-critical-cve-program-expires-today/
The CVE program has been a cornerstone of cybersecurity defense since its inception, providing a standardized method for identifying and cataloging software vulnerabilities. This database doesn't just assign unique identifiers to security flaws—it enables the entire security industry to speak a common language when discussing and addressing vulnerabilities.
Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, confirmed the situation in a message to the CVE board: "On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire."
While Barsoum noted that "the government continues to make considerable efforts to support MITRE's role in the program," the reality is that without renewed funding, the program as we know it will cease operations.
Security professionals across the industry have responded with dismay. Sasha Romanosky, senior policy researcher at the Rand Corporation, described the end of the CVE program as "tragic," emphasizing that "CVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based."
Ben Edwards, principal research scientist at Bitsight, expressed "sadness and disappointment" at the news, calling the CVE program "a valuable resource that should absolutely be funded."
The implications of this funding lapse extend far beyond MITRE itself. The CVE program provides foundational data that feeds into numerous security products and services, including vulnerability management systems, threat intelligence platforms, and endpoint detection and response tools. It also serves as the primary source for NIST's National Vulnerability Database (NVD), which was already facing significant challenges with processing backlogs.
Diagram from James Berthoty on LinkedIn:
https://www.linkedin.com/posts/james-berthoty_okay-its-really-hard-to-say-how-disastrous-activity-7318033864096972802-2TyH/
The ripple effects of this funding lapse will be immediate and far-reaching. According to Brian Martin, vulnerability historian and former CVE board member, the cessation of MITRE's CVE program will trigger "an immediate cascading effect that will impact vulnerability management on a global scale."
Without the program:
The decision not to renew MITRE's contract comes amid broader cuts to government spending, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), which funds the CVE program through DHS. Recent reports indicate that CISA is facing staffing cuts of up to 40%, with approximately 1,300 employees slated for termination.
However, sources familiar with the situation suggest that the relative cost of the CVE program is minor compared to other budget cuts being implemented across the federal government. This raises questions about the strategic priorities guiding these decisions.
Starting at midnight tonight, MITRE will no longer add new records to the CVE database, though historical records will remain available on GitHub. The critical question now is whether a private sector alternative will emerge to fill this void.
Some companies are already taking proactive steps. Patrick Garrity, a security researcher at threat intelligence firm Vulncheck, announced that his company has "proactively reserved 1,000 CVEs for 2025" and "will continue to provide CVE assignments to the community in the days and weeks ahead."
CISA has acknowledged the situation, with a spokesperson stating: "CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation's critical infrastructure at risk. Although CISA's contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely."
The potential collapse of the CVE program represents a critical inflection point for the cybersecurity community. What was once a given—a standardized, reliable system for tracking vulnerabilities—now hangs in the balance.
The coming days and weeks will be crucial in determining whether alternative funding models emerge, whether the private sector can effectively take up the mantle, or whether government officials will recognize the essential value of this program and restore funding before irreparable damage is done to the global vulnerability management ecosystem.
For organizations that rely on CVE data for their security operations, now is the time to assess potential impacts and develop contingency plans. The cybersecurity landscape as we know it is about to change dramatically, and adaptability will be key to maintaining effective defense postures in this new and uncertain environment.
Sources:
https://www.bleepingcomputer.com/news/security/mitre-warns-that-funding-for-critical-cve-program-expires-today/
https://bsky.app/profile/tib3rius.bsky.social/post/3lmulrbygoe2g
https://infosec.exchange/@briankrebs/114343835430587973