The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem.
The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs. The program has listed over 274,000 CVE records to date.
Yosry Barsoum, MITRE's vice president and director of the Center for Securing the Homeland (CSH), said its funding to "develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration (CWE), will expire."
"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum noted in a letter sent to CVE Board Members.
However, Barsoum pointed out that the government continues to "make considerable efforts" to support MITRE's role in the program and that MITRE remains committed to CVE as a global resource.
The CVE program was launched in September 1999 and has been run by MITRE with sponsorship from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
In response to the move, cybersecurity firm VulnCheck, which is a CVE Numbering Authority (CNA), has announced that it is proactively reserving 1,000 CVEs for 2025 to help fill the void.
"A service break would likely degrade national vulnerability databases and advisories," Jason Soroko, Senior Fellow at Sectigo, said in a statement shared with The Hacker News.
"This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained."
Tim Peck, Senior Threat Researcher at Securonix, told The Hacker News that a lapse could have massive consequences for the cybersecurity ecosystem where CNAs and defenders may be unable to obtain or publish CVEs, causing delays in vulnerability disclosures.
"Additionally, the Common Weakness Enumeration (CWE) project is vital for software weakness classification and prioritization," Peck said. "Its halt would affect secure coding practices and risk assessments. The CVE program is a foundational infrastructure. It's not just a nice to have 'referenceable list,' it's a primary resource for vulnerability coordination, prioritization and response efforts across the private sector, government and open source."
UPDATE — CISA Extends CVE Program Contract Amid Funding Crisis
CISA has stepped in to extend funding to ensure the continuity of the CVE program, the agency said.
"The CVE Program is invaluable to the cyber community and a priority of CISA," it said in a statement. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
The development comes as a group of CVE Board members announced the launch of the CVE Foundation, a non-profit organization set up to secure the CVE program's independence.
"The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative," the CVE Foundation said.
"For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today's threat landscape."
Coinciding with the news of the potential CVE shutdown, the European Union Agency for Cybersecurity (ENISA) has also launched a European vulnerability database (EUVD), which "embraces a multi-stakeholder approach by collecting publicly available vulnerability information from multiple sources."
The Computer Incident Response Center of Luxembourg is also developing a "decentralized" system for identifying and numbering vulnerabilities called the Global CVE (GCVE) allocation system.
