MITRE, a key player in cybersecurity awareness, has issued a warning about the funding for the Common Vulnerabilities and Exposures (CVE) program, which is set to expire today, on April 16, 2025. This program is vital for cataloging cybersecurity vulnerabilities, and its potential disruption could have significant consequences for national security and industry operations.
MITRE’s Warning on CVE Program Funding Expiry
MITRE, through a letter from Vice President and Director Yosry Barsoum at the Center for Securing the Homeland, warned that the current contracting pathway for developing, operating, and modernizing the CVE program, along with related programs like the Common Weakness Enumeration (CWE), will expire today, April 16, 2025. This warning was shared on several platforms. In a post on X/Twitter, which was linked in the letter, Barsoum said that a break in service could have several consequences.
These include a decline in national vulnerability databases and advisories, slower responses from vendors to new vulnerabilities, limited capabilities for incident response, and a broader impact on various types of critical infrastructure. The uncertainty about funding comes from the fact that the US government hasn’t confirmed whether the contract will be renewed. Reports suggest that the Trump administration is cutting federal spending, which could affect contracts like this one.
MITRE Corporation, a not-for-profit organization operating federal research and development centers, has raised significant concerns about the funding status of the Common Vulnerabilities and Exposures (CVE) program, which is set to expire on April 16, 2025. The CVE program, launched in 1999, is foundational for cataloging publicly disclosed cybersecurity vulnerabilities.
It is maintained by MITRE with funding primarily from the National Cyber Security Division of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It serves as a vital resource for hackers, vendors, and organizations, enabling the sharing of accurate and consistent information about cybersecurity risks. The program has cataloged nearly 275,000 records and stores historical data on GitHub.
Why is MITRE Critical?
The potential impacts are hard to underestimate. The CVE program is described as the de-facto global standard for vulnerability identification and management, relied upon by organizations across industry, government, national security, and critical infrastructure.
Without funding, no new CVEs will be added after today, and the program website will eventually cease, though historical records will remain accessible on GitHub. Experts have noted that losing CVE could lead to mis-prioritized software updates and increased security risks due to the lack of a centralized, standardized severity description. Jen Easterly, former CISA Director, compared CVE to the Dewey Decimal System for cybersecurity.
Casey Ellis, founder of Bugcrowd, highlights that a sudden interruption could become a national security problem, as CVE underpins vulnerability management, incident response, and critical infrastructure protection efforts. Another policy researcher branded the potential end as “tragic,” a sentiment echoed by many in the cybersecurity community. In the end, transparent vulnerability disclosure helps developers to acknowledge bad coding practices and understand how things should not be done.
Some may argue that vulnerability disclosure may be a bad thing, as this allows threat actors to target the new flaw before the fixes are available. Thing is – hackers can find the flaw before security researchers or the developers do, develop the exploit, and use it as hard as they can. And without a proper publication of the issue, companies will remain clueless about a potential hazard.
Can MITRE Come Back?
Despite the expiry, the government is making “considerable efforts” to continue MITRE’s role. CISA has stated they are “urgently working to mitigate impact and maintain CVE services on which global stakeholders rely,” though they declined to answer questions about why the contract wasn’t renewed or future plans. This uncertainty is compounded by reports of CISA facing significant budget and staffing cuts, potentially linked to broader Trump administration policies.
MITRE remains committed to the CVE as a global resource, but without confirmed funding, the program’s future is at risk. The layoffs of over 400 employees in MITRE’s Virginia office, due to canceled contracts worth more than $28 million, indicate the financial pressures already at play. Additionally, CISA’s decision to end funding for other programs like MS-ISAC and Election ISAC, announced last month, suggests a broader trend of funding cuts affecting cybersecurity initiatives.
