Innovation and Technology
CVE Program Funding Expires—What It Means And What To Do Next
U.S. government funding for the global database of security flaws, the Common Vulnerabilities and Exposures database, was set to expire on Apr. 16. The not-for-profit organization that runs the database, MITRE, confirmed its contract with the U.S. Department of Homeland Security to operate the CVE Program had not been renewed. However, in an eleventh hour turnaround, the U.S. Cybersecurity and Infrastructure Security Agency said it had extended the contract with MITRE.
What Happened And Why?
MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire, warning that it could be a disaster for security. The news came via a letter on social network BlueSky. Barsoum wrote, “On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire. If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
Impact of the Funding Cut
The potential end to the CVE program funding was viewed by some experts as part of a cost-cutting drive by the Trump administration. The CVE system is a global reference method for publicly-known security flaws, launched in 1999 and maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security. CVE IDs are listed on MITRE’s system as well as in the U.S. National Vulnerability Database.
Why Is An End To CVE Program Funding Bad?
The CVE database is “critical for anyone doing vulnerability management or security research,” and for “a whole lot of other uses,” security journalist Brian Krebbs wrote on Mastodon. America’s “abrupt pullback” from leadership roles “in this case coordinating the near global issue of CVEs for vulnerabilities” will “place a heavy burden on global cyber defenses,” says Ian Thornton-Trump, CISO at Inversion6. Cutting the CVE program funding would be “a huge blow to the cybersecurity community,” says William Wright, CEO of penetration testing firm Closed Door Security.
The CVE Funding Cut’s Impact On Global Cybersecurity
However, the news might not be quite as bad as it seems. It’s essential to understand that MITRE does not operate the National Vulnerability Database, which is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. While MITRE does assign CVE IDs, the CVE Naming Authority can also do this. The recent news about MITRE’s contract would likely only affect new vulnerabilities. Historical vulnerabilities should not be affected.
What To Do Next
MITRE said historical CVE records will be available on GitHub, but future CVEs still hang in the balance. Hopefully, another organization will step in to provide the funding, or countries will “band together to offer support,” says Closed Door Security’s Wright. Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart.
Conclusion
The potential end to MITRE’s CVE program funding is a worrying move that potentially reduces security for everyone. However, with the contract extension, the CVE program will continue to operate, and the global cybersecurity community can breathe a sigh of relief. It is crucial for organizations to stay vigilant and prepared for any potential changes in the future.
FAQs
Q: What is the Common Vulnerabilities and Exposures (CVE) database?
A: The CVE database is a global database of security flaws that provides a reference method for publicly-known security flaws.
Q: Who operates the CVE database?
A: The CVE database is operated by The MITRE Corporation, with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security.
Q: What would happen if the CVE program funding is cut?
A: If the CVE program funding is cut, it could lead to a deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and critical infrastructure.
Q: How can businesses prepare for a potential CVE funding cut?
A: Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds.
Q: Is the National Vulnerability Database (NVD) affected by the CVE funding cut?
A: No, the NVD is operated by the U.S. National Institute of Standards and Technology and is not directly affected by the CVE funding cut.
Community Mentorship Programs Help Strengthen Local Workforce and Social Impact
Low-Code Platforms are Changing How Businesses Build Internal Technology
Microlearning in Employee Training: A Practical Approach to Workplace Skill Development
Decision-Making Frameworks Improve Strategic Leadership and Organizational Clarity
Career Ladder Programs Strengthen Workforce Development and Employee Retention
Workplace Recognition Programs Improve Organizational Culture and Employee Engagement
Why Mental Endurance is Essential for Workplace Resilience
What Informational Interviews are and Why they Matter
How Emotional Intelligence Can Help You Manage Stress and Build Resilience
Interview with Dr. Kristy K. Taylor, WORxK Global News Magazine Founder
Sarah Herrlinger Talks AirPods Pro Hearing Aid
NetWork Your Way to Success: Top Tips for Maximizing Your Professional Network
Unlocking Human Potential: Kim Groshek’s Journey to Transforming Leadership and Stress Resilience
The Power of Belonging: Why Feeling Accepted Matters in the Workplace
Health-care stocks fall after Warren PBM bill, Brian Thompson shooting
Glenda Benevides: Creating Global Impact Through Music
-
Resiliency7 months agoHow Emotional Intelligence Can Help You Manage Stress and Build Resilience
-
Career Advice1 year agoInterview with Dr. Kristy K. Taylor, WORxK Global News Magazine Founder
-
Diversity and Inclusion (DEIA)1 year agoSarah Herrlinger Talks AirPods Pro Hearing Aid
-
Career Advice1 year agoNetWork Your Way to Success: Top Tips for Maximizing Your Professional Network
-
Changemaker Interviews1 year agoUnlocking Human Potential: Kim Groshek’s Journey to Transforming Leadership and Stress Resilience
-
Diversity and Inclusion (DEIA)1 year agoThe Power of Belonging: Why Feeling Accepted Matters in the Workplace
-
Global Trends and Politics1 year agoHealth-care stocks fall after Warren PBM bill, Brian Thompson shooting
-
Changemaker Interviews12 months agoGlenda Benevides: Creating Global Impact Through Music