US Government Funding for the Centralized CVE Program Set to Expire, Raising Concerns
The future of the Common Vulnerabilities and Exposures (CVE) program, a pivotal resource for cybersecurity globally, came into question as its funding from the US government was set to lapse this past Wednesday. This program, which has been operational for over 25 years, is essential for managing vulnerabilities in various software products by assigning unique identifiers to specific security flaws. It's widely recognized for its role in standardizing the way vulnerabilities are named and tracked, allowing organizations and individuals alike to communicate effectively about security issues.
The CVE program is managed by MITRE, a not-for-profit organization that has been under contract with the US Department of Homeland Security (DHS). However, recent reports indicated that this contract would not be renewed, a decision that has raised alarms among cybersecurity experts and stakeholders. The expiration of funding from the Trump administration, which has been actively seeking budget cuts across federal agencies, poses a significant risk to the continuity of the CVE program and its functions.
Yosry Barsoum, MITREs vice president and director at the Center for Securing the Homeland, confirmed the funding's expiration in a statement, adding, On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire. He emphasized that while efforts are ongoing to support MITRE's role, the program's future remains precarious without government backing.
As the news broke, concerns proliferated regarding the potential fallout from a disruption in CVE services. Barsoum highlighted in a leaked memo to CVE program board members that a break in service could lead to various negative consequences. This includes the deterioration of national vulnerability databases, which are vital for coordinating responses to security incidents, and could hinder incident response operations critical for maintaining national security.
Cybersecurity expert Katie Moussouris, founder and CEO of Luta Security, likened the sudden halt of the CVE program to depriving the cybersecurity community of essential resources. CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk, Moussouris said. She further emphasized that an abrupt cessation of this program would create chaos within the cybersecurity industry, which relies heavily on the CVE framework to manage threats effectively.
The process for handling vulnerabilities through the CVE program is systematic. When a researcher or organization identifies a new flaw, they submit a report to one of several hundred CVE program partners spread across 40 countries. These partners assess the report, and if needed, assign a unique CVE identifier to the vulnerability. This structured approach has fostered clarity and consistency in vulnerability management, a stark contrast to the pre-CVE era where companies used different terminologies, leading to confusion among clients regarding their security posture.
To put the programs importance into perspective, over 40,000 new CVEs were cataloged just last year alone, highlighting the growing need for consistent and reliable vulnerability management practices. Dustin Childs, the head of threat awareness at Trend Micros Zero Day Initiative, reflected on the potential chaos: If MITRE were to lose funding for the CVE, we can expect considerable confusion again until someone else picks up the flag. He noted that the absence of a concrete plan to sustain the program would further complicate compliance with security regulations.
Amid these uncertainties, VulnCheck, a private vulnerability intelligence company, announced that it had reserved 1,000 CVEs for 2025, hoping to maintain some level of functionality for the program in the interim. However, this short-term measure only buys a few months before the pressing need for a long-term solution arises. Patrick Garrity, a security researcher at VulnCheck, stated, The CVE program is a critical resource globally used by nearly every organization in the world, so the implications of a pause will have downstream implications for security tooling, security teams, and every organization that cares about security.
As the deadline approached, the cybersecurity community anxiously awaited the outcome of discussions regarding the program's funding. Just when it seemed that the CVE program might face a funding shortfall, an important update emerged. In a last-minute decision, the US government agreed to continue funding the CVE program, alleviating immediate concerns and allowing the program to operate without disruption for the time being.
