The future of the Common Vulnerabilities and Exposures (CVE) program, a cornerstone of global cybersecurity, was thrown into uncertainty this week as the U.S. federal government faced a potential lapse in funding that could disrupt vital services. However, late on April 15, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) executed an option period on its contract with the MITRE Corporation, ensuring that critical CVE services would continue uninterrupted.
Originally established in 1999, the CVE program has served as the de facto global standard for identifying and cataloging cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, which allows security researchers, vendors, and government officials to communicate effectively about specific issues. This system has been indispensable for private industries and national intelligence agencies alike, helping to safeguard critical infrastructure.
On April 15, MITRE announced that government funding needed to develop, operate, and maintain the CVE program was set to expire on April 16. Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, expressed concern over the potential impacts of a funding lapse. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," he warned.
In a Wednesday morning statement, CISA reaffirmed the importance of the CVE program, describing it as "invaluable" to the cybersecurity community. The agency confirmed that the contract extension would last for 11 months, allowing MITRE to continue its stewardship of the CVE program. "We appreciate our partners’ and stakeholders’ patience," a CISA spokesperson stated.
The warning from MITRE had sparked alarm across the cybersecurity landscape. Jen Easterly, the former director of CISA, highlighted the serious implications of a potential shutdown of the CVE database. In a LinkedIn post, she remarked, "Losing it would be like tearing out the card catalog from every library at once, leaving defenders to sort through chaos while attackers take full advantage." She emphasized that the loss of the CVE system could lead to increased risks of breaches and ransomware attacks, higher compliance costs, and diminished trust from customers.
Following the initial announcement of the funding expiration, cybersecurity experts voiced their concerns. Greg Anderson, CEO of DefectDojo, stated that the loss of funding should worry every cybersecurity professional. He noted that if the CVE database were to go offline, it would significantly hinder security teams' ability to manage vulnerabilities effectively. "Every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities," he said.
As discussions around the future of the CVE program unfolded, a group of CVE Board members announced plans to establish a new body called the CVE Foundation. This initiative aims to ensure the long-term viability, stability, and independence of the CVE program. The foundation's formation is seen as a crucial step toward eliminating reliance on a single government sponsor and fostering a community-driven approach to vulnerability management.
In the wake of these developments, VulnCheck, a cybersecurity company, pledged its support for MITRE and the CVE program. The company announced it would continue assigning CVEs and providing reporting services to mitigate potential disruptions. Furthermore, VulnCheck has proactively allocated 1,000 CVEs for 2025 and added MITRE CVE List V5 to its Community tier of intelligence offerings, making the CVE database accessible to thousands of community users.
Despite the reprieve granted by CISA, the uncertainty surrounding the CVE program's funding remains a pressing concern. Experts warn that without a stable source of funding, the entire vulnerability coordination ecosystem could be disrupted, complicating efforts to prioritize and patch critical security issues. Michael Mumcuoglu, CEO of CardinalOps, stated, "Vendors and security teams might lose the ability to speak a common language about vulnerabilities, which could lead to delayed responses, duplicated efforts, or missed threats, weakening global cyber defense across both public and private sectors."
As the cybersecurity community braces for the future, it is clear that the CVE program remains a vital component of the global cybersecurity infrastructure. The establishment of the CVE Foundation and the ongoing support from organizations like VulnCheck signal a commitment to preserving the integrity and availability of CVE data for defenders worldwide. As Kent Landfield, an officer of the CVE Foundation, aptly put it, "CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself." The coming days will be crucial in determining the future of this essential program and the broader implications for cybersecurity on a global scale.
