CVE Program Faces Funding Crisis: Critical Cybersecurity Infrastructure at Risk

Update: April 17, 2025 — CISA Extends Emergency Funding, New CVE Foundation Announced: CISA has extended funding for the MITRE-managed CVE Program, averting an immediate lapse in service. Additionally, the CVE Board has launched a new nonprofit, the CVE Foundation, to ensure long-term continuity and independence for the program. Questions remain about future funding, but the immediate crisis has been averted. Source: Security Boulevard

The Common Vulnerabilities and Exposures (CVE) program, a cornerstone of global cybersecurity infrastructure, faces a potential funding crisis that could disrupt its critical operations. The program, operated by MITRE Corporation under sponsorship from the U.S. Department of Homeland Security (DHS), is at risk of deterioration as its current funding contract expires.

According to Yosry Barsoum, Vice President and Director of the Center for Securing the Homeland at MITRE: "On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire."

What is the CVE Program?

The CVE program is an essential resource that cybersecurity professionals worldwide rely on to identify, track, and manage security vulnerabilities. It provides a standardized method for naming and cataloging publicly disclosed cybersecurity vulnerabilities, enabling organizations to coordinate their security efforts effectively.

The Funding Crisis

MITRE has warned of significant consequences if the funding isn't restored. In an official statement, Barsoum explained: "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."

This funding expiration could lead to:

• Deterioration of the CVE database's maintenance and updates
• Delays in vulnerability tracking and coordination
• Reduced ability to support security researchers and organizations

To put this crisis in perspective, over 40,000 new CVEs were published last year alone, highlighting the massive scale and critical importance of this program to global cybersecurity efforts.

Implications for the Cybersecurity Community

The potential disruption of the CVE program could have far-reaching consequences for the cybersecurity community:

1. Vulnerability Management: Organizations may struggle to maintain comprehensive vulnerability tracking without a standardized system.

2. Research Coordination: Security researchers might face challenges in coordinating vulnerability disclosures and tracking their impact.

3. Industry Standards: The CVE program serves as a de facto standard for vulnerability tracking, and its disruption could lead to fragmentation in the industry.

Some private companies are already taking steps to mitigate the impact. VulnCheck, a private vulnerability intelligence company that is also a CVE Naming Authority (CNA), has proactively reserved 1,000 CVEs for 2025. However, this only preserves the functionality of the program for 1-2 months at best, given that MITRE issues between 300-600 CVEs each month.

What Needs to Happen Next

The cybersecurity community is calling for immediate action to secure the CVE program's future:

1. Government Action: The U.S. Congress needs to address the funding gap and ensure continued support for this critical infrastructure.

2. Industry Support: Cybersecurity organizations and vendors should advocate for stable funding of the CVE program.

3. Alternative Solutions: If immediate funding cannot be secured, alternative solutions for maintaining vulnerability tracking need to be explored.

The Cybersecurity and Infrastructure Security Agency (CISA), whose parent agency funds the contract, has confirmed that the contract is ending and stated they are "urgently working to mitigate impact and to maintain CVE services on which global cybersecurity depends."

How You Can Help

1. Stay Informed: Follow updates from MITRE and DHS regarding the CVE program's status.

2. Advocate: Contact your representatives to express the importance of maintaining this critical cybersecurity infrastructure.

3. Prepare: Organizations should review their vulnerability management processes and consider contingency plans.

Conclusion

The CVE program funding crisis is not just a bureaucratic issue—it's a threat to global cybersecurity infrastructure. As the cybersecurity community awaits resolution, it's crucial for all stakeholders to understand the implications and take appropriate action to protect this vital resource.

Sources

1. MITRE warns that funding for critical CVE program expires today
2. U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert