Article Details

MITRE warns that funding for critical CVE program expires today. MITRE Vice President Yosry Barsoum has warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires today, which could lead to widespread disruption across the global cybersecurity industry. CVE, the most critical of the two, is maintained by MITRE with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security (DHS). CVE is crucial for providing accuracy, clarity, and shared standards when discussing security vulnerabilities. The program is widely adopted across various cybersecurity tools, including vulnerability management systems, and it allows tracking all newly discovered vulnerabilities using CVE Identifiers (CVE IDs) assigned by CVE Numbering Authorities (CNAs) worldwide, with MITRE as the CVE Editor and Primary CNA. CVE also helps avoid confusion caused by using multiple names for a single security flaw, enables coordinated cataloging of new vulnerabilities, and enables security teams to share information more easily through advisories, vulnerability databases, and other resources using a standard reference system. "On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire. The government continues to make considerable efforts to continue MITRE's role in support of the program," Barsoum warned in a letter sent to CVE Board members. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure." ​Since the letter was published online, many security experts and leaders in the cybersecurity community have expressed their angst. They fear the program will abruptly end, and everyone in the field will have no standardized method to track new security issues. According to former CISA head Jean Easterly, the immediate result would likely be the breakdown of most trusted security tools and processes and the collapse of all global coordination efforts. "The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity. Losing it would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage," Easterly warned on LinkedIn. "Cyber threats don't stop at borders—and neither does defense. CVEs are the common language used worldwide to share intelligence and coordinate action. Lose that, and everyone's flying blind." Casey Ellis, founder of crowdsourced security company Bugcrowd, added, "CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order. When contacted by BleepingComputer, spokespersons at DHS, the National Institute of Standards and Technology (NIST), and the Department of Defense were immediately available for comment. However, a CISA spokesperson told BleepingComputer, "Although CISA's contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely." MITRE's troubles in keeping the CVE program funded come as NIST is also scrambling to clear a large backlog of CVEs that need enrichment for its National Vulnerability Database (NVD).