The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem.
The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs.
Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland (CSH), said its funding to “develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration (CWE), will expire.”
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum noted in a letter sent to CVE Board Members.
However, Barsoum pointed out that the government continues to “make considerable efforts” to support MITRE’s role in the program and that MITRE remains committed to CVE as a global resource.
The CVE program was launched in September 1999 and has been run by MITRE with sponsorship from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
In response to the move, cybersecurity firm VulnCheck, which is a CVE Numbering Authority (CNA), has announced that it is proactively reserving 1,000 CVEs for 2025 to help fill the void.
“A service break would likely degrade national vulnerability databases and advisories,” Jason Soroko, Senior Fellow at Sectigo, said in a statement shared with The Hacker News.
“This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”
Tim Peck, Senior Threat Researcher at Securonix, told The Hacker News that a lapse could have massive consequences for the cybersecurity ecosystem where CNAs and defenders may be unable to obtain or publish CVEs, causing delays in vulnerability disclosures.
“Additionally, the Common Weakness Enumeration (CWE) project is vital for software weakness classification and prioritization,” Peck said. “Its halt would affect secure coding practices and risk assessments. The CVE program is a foundational infrastructure. It’s not just a nice to have ‘referenceable list,’ it’s a primary resource for vulnerability coordination, prioritization and response efforts across the private sector, government and open source.”
