The CVE program (Common Vulnerabilities and Exposures) is a critical tool used worldwide to track and manage security issues. Started in 1999, it gives every known security flaw a unique ID, making it easier for experts to fix and talk about them. For the past 25 years, MITRE, a non-profit research organization, has been running this program with support from the U.S. government.
Government Funding Expires on April 16
MITRE recently announced that the U.S. government’s financial support for the CVE program will officially end on April 16, 2025. Yosry Barsoum, MITRE’s Vice President and head of the Center for Securing the Homeland, confirmed the expiration also affects related projects like the Common Weakness Enumeration (CWE).
What Could Happen if Funding Ends?
Barsoum warned that stopping this funding could create serious problems. It may harm national vulnerability databases, slow down security alerts, and affect software tools used to respond to cyber threats. It could even disrupt critical infrastructure that depends on timely vulnerability data.
MITRE Still Committed Despite the Risk
Despite the funding loss, MITRE says it will stay committed to keeping the CVE program running as a global resource. Barsoum noted that the U.S. government is still trying to find ways to support the program and prevent any break in service.
Private Companies Step In to Help
Cybersecurity company VulnCheck, which helps manage CVE numbers, has taken early action. It has already reserved 1,000 CVE IDs for the year 2025 to help reduce the impact of any service break. This move shows how the private sector is stepping in to help keep things stable.
Experts Say the Risk is Serious
Jason Soroko from Sectigo and Tim Peck from Securonix both shared concerns about the possible effects. Soroko said a break in the CVE service could hurt software vendors, cybersecurity teams, and national infrastructure. Peck added that it could delay the disclosure of new threats and impact secure software development practices.
Why CVE and CWE Are More Than Just Lists
The CVE program isn’t just a list of issues. It helps coordinate global efforts to fix security problems quickly and effectively. CWE, another important project by MITRE, is used to classify and rank software weaknesses. Without funding, both projects could slow down, putting the whole cybersecurity world at risk.
What Happens Next?
As the funding deadline approaches, the cybersecurity community is watching closely. Will the government find a way to keep supporting MITRE? Will more private companies step in? One thing is clear: the CVE program plays a key role in keeping the digital world safe.