Funding uncertainty may spell the end of MITRE’s CVE program
The future of the Common Vulnerabilities and Exposures (CVE) program hangs in the balance: MITRE, the not-for-profit US organization that runs it, could lose the US federal funding that helps them maintain it. But others have been waiting in the wings and are getting ready to pick up the vulnerability tracking mantle.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Yosry Barsoum, MITRE VP and director at MITRE’s Center for Securing the Homeland, shared in an (leaked) email sent on Tuesday to CVE Board members.
“The government continues to make considerable efforts to continue MITRE’s role in support of the program. If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
What is the CVE program?
The CVE program provides a centralized database of software vulnerabilities which, through MITRE or other CVE numbering authorities (CNAs), get assigned a unique identifier (CVE number) that allows everybody that has anything to do with vulnerability research, disclosure, and management to talk about vulnerabilities from the same point of reference.
The number of published CVE records is constantly rising: in 2024, 40,000+ vulnerabilities have been pinned down with a CVE number. In 2023 and 2022, those numbers were 28,961 and 25,059, respectively. (The number of reserved CVE IDs has also been rising each year.)
“The CVE database is crucial to international security. Although third-party databases exist, the world has standardized on CVE identifiers to act as pointers to vulnerability data,” Ariadne Conill, distinguished engineer at Edera, told Help Net Security.
“Loss of CVE services will be catastrophic. Every vulnerability management strategy around the world today is heavily dependent and structured around the CVE system and its identifiers.”
CVE program funding woes
The CVE program, which recently celebrated 25 years of existence, is largely funded by the US Department of Homeland Security. The funding is disbursed through the Cybersecurity and Infrastructure Security Agency (CISA), which has also recently been hit with budget and workforce cuts (and is facing more).
“If funding lapses, the entire vulnerability coordination ecosystem could be disrupted, making it harder to prioritize and patch critical security issues,” Michael Mumcuoglu, CEO of CardinalOps, commented.
“Vendors and security teams might lose the ability to speak a common language about vulnerabilities, and this could lead to delayed responses, duplicated efforts, or missed threats, weakening global cyber defense across both public and private sectors.”
The uncertainty around what will happen with the CVE program is most unwelcome, and doubly so because NIST’s National Vulnerability Database (NVD) – whose analysts are in charge of enriching CVE records with vulnerability severity scores, CPE entries and CWE information, and reference links – has been lagging for a while now and, while there are plans to get it up to speed and improve it, its dependence on US federal funding does little to inspire confidence in them.
What now?
According to cybersecurity reporter Brian Krebs, if the funding stops, the MITRE CVE database could go offline today, though historical CVE records will still be available at GitHub. Also, if the MITRE API that CNAs use to obtain CVEs remains running, CVE numbering authorities will still be able to issue CVE numbers and publish CVE records, he added.
Cybersecurity company VulnCheck, which is also a CNA, has “proactively reserved 1,000 CVEs for 2025” and “will continue to provide CVE assignments to the community in the days and weeks ahead.”
Mumcuoglu advises cybersecurity leaders to prepare themselves for CVE program’s possible demise by establishing internal vulnerability triage protocols and by tapping into threat intelligence.
“Without centralized CVE identifiers, your team may need to rely more heavily on internal severity assessments and prioritization frameworks (like CVSS, asset criticality, and business context). Make sure your vulnerability and exposure management processes are robust and don’t depend solely on CVE data,” he says.
“Start coordinating with trusted threat intel vendors, ISACs, and security communities. Building stronger peer-sharing networks can help fill gaps in vulnerability discovery and attribution that the CVE program may no longer support.”
CVE Foundation to the rescue?
It’s obvious that the CVE program’s stumbling did not come as a surprise to some and that potential replacements are being fleshed out.
“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the newly established CVE Foundation has stated today.
“In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
Details about the structure of the foundation, the transition planning, and opportunities for involvement from the broader community will be released in the coming days, they added.
The Computer Incident Response Center Luxembourg (CIRCL) is also launching the Global CVE (GCVE) allocation system, “a new, decentralized approach to vulnerability identification and numbering” that will be compatible with the traditional CVE system.
UPDATE (April 16, 2025, 08:45 a.m. ET):
“The CVE Program is invaluable to cyber community and a priority of CISA,” a CISA spokesperson told Help Net Security.
“Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!