The cybersecurity community is expressing serious concerns as U.S. government funding for MITRE’s Common Vulnerabilities and Exposures (CVE) program expired on Wednesday, April 16, 2025. This lapse in funding threatens the future of a critical resource used globally to identify, track, and mitigate software vulnerabilities.
Key Developments:
- Funding Expiration: MITRE’s contract with the U.S. Department of Homeland Security (DHS) to operate the CVE program has not been renewed. This puts the future of the program, which has been running for 25 years, in jeopardy.
- Potential Impacts: Experts warn that a disruption of the CVE program could have significant consequences, including:
– Deterioration of national vulnerability databases and advisories.
– Slowed vendor response to vulnerabilities.
– Limited incident response capabilities.
– Increased global cyber risk. - Community Reaction: The news has been met with alarm and dismay within the cybersecurity community. Former CISA director Jen Easterly described the CVE system as “one of the most important pillars” in cybersecurity. Many experts emphasize that the loss of the CVE program would create chaos and leave defenders struggling to coordinate their efforts.
- MITRE’s Response: MITRE has stated that it remains committed to the CVE program and is working with the government to find a solution. However, the immediate future of the program remains uncertain.
- Possible Solutions: While MITRE’s CVE records will be available on GitHub, the community is exploring alternative solutions to ensure the continued operation of this vital resource. VulnCheck, a CVE Numbering Authority (CNA), has proactively reserved 1,000 CVEs for 2025 to help fill the void.
Significant Impacts on the Cybersecurity Landscape:
The potential cessation of U.S. government funding for MITRE’s CVE program carries profound implications for global cybersecurity:
- Fragmentation of Vulnerability Information: Without a central, well-funded authority like MITRE, the process of identifying and cataloging vulnerabilities could become fragmented and inconsistent. This would make it harder for organizations to gain a comprehensive understanding of their security risks.
- Delayed Patching and Mitigation: The CVE program plays a crucial role in informing vendors and users about security flaws, enabling timely patching and mitigation efforts. A disruption could lead to delays in addressing critical vulnerabilities, leaving systems exposed for longer periods.
- Increased Attack Surface: The lack of a standardized and actively maintained CVE database could make it easier for attackers to exploit known vulnerabilities before they are widely understood and addressed.
- Erosion of Trust and Collaboration: The CVE program has fostered trust and collaboration within the cybersecurity community. A failure to secure its future could erode this trust and hinder information sharing.
- Disproportionate Impact on Smaller Organizations: Organizations with fewer resources rely heavily on the publicly available CVE database to understand and manage their vulnerabilities. A weakened CVE program would disproportionately impact their security posture.
- Economic Costs: The potential increase in successful cyberattacks due to unaddressed vulnerabilities could lead to significant economic losses for individuals, organizations, and governments worldwide.
The cybersecurity community is now watching closely to see how the U.S. government and MITRE will address this critical situation and ensure the continued operation of the vital CVE program.
[UPDATE] The unknown sources claims that CISA extends its contract.
