Non-profit organization MITRE has informed that federal government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires on Wednesday, potentially causing widespread disruption across the global cybersecurity industry. While the government is working to maintain MITRE’s role, a service interruption could significantly impact national vulnerability databases, security tools, incident response efforts, and critical infrastructure.
”On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE will expire,” Yosry Barsoum, vice president and director at MITRE’s Center for Securing the Homeland, wrote to CVE Board Members. “The government continues to make considerable efforts to continue MITRE’s role in support of the program.”
Barsoum noted that if a break in service were to occur, “we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
The publication of Barsoum’s letter led to a string of reactions from several cybersecurity experts, including Jen Easterly, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“A potential shutdown or disruption of the CVE (Common Vulnerabilities and Exposures) database—maintained by MITRE (https://cve.mitre.org/)—is rightly raising alarms across the cybersecurity community,” Easterly wrote in a LinkedIn post. “While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.”
She added that the CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity. Losing it would be like tearing out the card catalog from every library at once, leaving defenders to sort through chaos while attackers take full advantage. For businesses, this could mean increased risk of breach or ransomware, higher costs for security and compliance, and lost trust from customers and regulators.
Easterly noted that “I understand folks are working to find a solution to this issue. Let’s hope they’re successful.”
Tenable said in a post that it “is closely monitoring the situation surrounding the possible expiration of the CVE program funding.”
“With the report that the funding for the CVE program is potentially set to expire on April 16, the biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities,” the post added. “While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities.”
Tenable mentioned that the historical CVE database will remain intact on GitHub following the expiration of the CVE program. “However, MITRE’s CVE program also provides a centralized repository of CVEs from which many organizations fetch data, and this may disappear. The lack of this centralized repository will create difficulties going forward for tracking new and noteworthy vulnerabilities under a common identifier.”
“If the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) ceases to sponsor the MITRE CVE Program or if there is any break in service, there will be more chaos around the latest vulnerabilities, slower defenses, and greater global cyber risk,” Shane Fry, CTO of RunSafe Security, wrote in an emailed statement. “Patching and mitigation response times will be significantly impacted, and it will be challenging to verify whether vendors have disclosed or patched vulnerabilities.”
Fry added that to move away from this patching challenge and the need for continuous monitoring, more companies will shift their focus to cybersecurity solutions that can offer protection against both known and unknown vulnerabilities.
“I will say that VulnCheck has been leading the charge in providing another dataset that includes CVEs but also hundreds of other vulnerability datasources, which could minimize some of the damage here,” according to Fry. “That diversity in data sources is why we’re using them as our data source for vulnerability data in the RunSafe Security Platform.”
Greg Anderson, CEO and founder of DefectDojo, wrote in an emailed statement that “MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place. If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.”
As a fallout of the MITRE warning, VulnCheck pledged full support for MITRE and its long-standing contributions to cybersecurity through the CVE program, and is offering its reporting service and will continue assigning CVEs, to help mitigate potential disruptions. Also, the CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the CVE program, a critical pillar of the global cybersecurity infrastructure for 25 years.
To help MITRE and the CVE program bridge the gap in the event of any disruption, VulnCheck’s reporting service is available. VulnCheck will continue to perform CVE assignments for the community in the coming days and weeks. To do this quickly, VulnCheck has proactively pre-allocated one thousand 2025 CVEs and will work to allocate more.
“VulnCheck is actively monitoring the MITRE situation, and will ensure that our customers, partners, and the entire cybersecurity community will have continued access to timely, accurate vulnerability data,” said Anthony Bettini, founder and CEO at VulnCheck. “We recognize the critical role that the CVE program plays in the cybersecurity ecosystem, and we are actively preparing for any potential disruptions.”
Additionally, to ensure the cybersecurity community doesn’t experience any disruption to access, VulnCheck has added MITRE CVE List V5 to its Community tier of intelligence offerings, starting Tuesday. For the first time, this brings MITRE’s CVE database to thousands of community users.
The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative. For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.
