MITRE’s CVE Program: A Turning Point in Global Cybersecurity Funding and Governance

On April 16, 2025, the U.S. government’s funding for MITRE’s Common Vulnerabilities and Exposures (CVE) program expired, casting a shadow over a vital pillar of global cybersecurity. The CVE program, which has been operational for over 25 years, is an essential resource for vulnerability management, providing the world with a standardized way to identify, define, and catalog publicly disclosed security flaws through CVE IDs.

For years, the CVE program has been a cornerstone for cybersecurity professionals across the globe. MITRE, a not-for-profit organization, has been responsible for maintaining the CVE system, which lists over 274,000 vulnerability records to date. This system is crucial for organizations in managing cybersecurity risks, prioritizing vulnerabilities, and conducting incident response operations. Without CVE IDs, vulnerabilities could become harder to track, putting companies at greater risk.

The looming end of government funding for the program was first flagged by MITRE Vice President Yosry Barsoum, who warned that the expiration of funding could lead to significant disruptions in vulnerability management practices. A break in service could cause deterioration in national vulnerability databases, affect advisories, and hinder the operations of critical infrastructure, tool vendors, and incident response teams. In a letter to the CVE Board, Barsoum underscored the far-reaching impacts of such a disruption, which could ripple across the cybersecurity ecosystem.

CISA Steps in to Ensure Continuity

Fortunately, before the funding lapse could create widespread chaos, the Cybersecurity and Infrastructure Security Agency (CISA) intervened to extend MITRE’s contract for an additional 11 months. This move came after MITRE Vice President Yosry Barsoum sent an official letter to the CVE Board, alerting them of the serious impacts that a break in service could cause to national vulnerability databases, advisories, and critical infrastructure. The extension, announced just hours before the funding expiration, ensured that critical CVE services would not be interrupted. The extension offers some relief to cybersecurity professionals and businesses that rely heavily on the CVE system.

“We appreciate our partners' and stakeholders' patience,” a CISA spokesperson said, assuring the public that the CVE program would continue to operate without disruption for the time being.

This move came after months of uncertainty surrounding MITRE’s funding and the potential impact it could have on global cybersecurity.

The CVE program, which has been managed by MITRE under contract with the U.S. Department of Homeland Security (DHS), had been facing potential cuts as part of broader government cost-cutting measures. These cuts could have compromised the integrity of the CVE system, leaving the cybersecurity community in a precarious position.

A New Chapter for the CVE Program: The CVE Foundation

In response to the mounting uncertainty and the need for independence, a group of CVE Board members launched the CVE Foundation, a non-profit organization aimed at securing the CVE program’s future. The foundation was established to eliminate the single point of failure in the vulnerability management ecosystem and ensure that the CVE program remains a globally trusted, community-driven initiative.

The foundation’s goal is to safeguard the integrity and availability of the CVE system, reducing its reliance on any single government sponsor. This transition to an independent foundation was long in the works and reflects the growing recognition that the CVE program's sustainability and neutrality must be ensured, especially given its critical role in the global cybersecurity infrastructure.

“CVE is too important to be vulnerable itself,” said Kent Landfield, an officer of the newly formed foundation. “The cybersecurity community around the globe relies on CVE identifiers and data as part of their daily work.”

A Global Wake-Up Call: The EU’s Response

The uncertainty surrounding the CVE program has also sparked responses from international organizations. The European Union Agency for Cybersecurity (ENISA) launched a new European vulnerability database (EUVD), which adopts a multi-stakeholder approach to collecting publicly available vulnerability information from various sources. This initiative aims to provide a more diverse and resilient ecosystem for vulnerability management, reducing reliance on any single system.

Additionally, the Computer Incident Response Center of Luxembourg is developing the Global CVE (GCVE) allocation system, a decentralized system for identifying and numbering vulnerabilities. These efforts signal a growing recognition that the global cybersecurity community must ensure that no single point of failure can jeopardize the effective management of vulnerabilities.

What the Future Holds for the CVE Program

While the immediate crisis has been averted, the future of the CVE program remains uncertain. The extension of MITRE’s funding ensures that there will be no immediate disruption, but the potential for future challenges looms large. With the new CVE Foundation in place, the cybersecurity community is hopeful that the program’s long-term sustainability and neutrality can be secured.

For organizations that rely on the CVE program, it’s crucial to continue monitoring the situation and diversify their threat intelligence sources. While the CVE program is irreplaceable, alternative vulnerability flagging sources such as OSV or GitHub Advisories may become increasingly important as the landscape evolves.

In the meantime, the cybersecurity community must remain vigilant, ensuring that the CVE system continues to provide the clarity, accuracy, and consistency needed to mitigate vulnerabilities and protect critical infrastructure. With the backing of CISA, the CVE Foundation, and ongoing international efforts, the future of the CVE program remains a critical focus for ensuring global cybersecurity resilience.

As the world faces an increasingly complex and interconnected threat landscape, the importance of the CVE program and its ability to evolve and adapt to new challenges cannot be overstated. The CVE program’s survival is crucial for the defense of the digital world, and the cybersecurity community must continue to support it to safeguard global security.