US government funding for the world's CVE program – the centralized Common Vulnerabilities and Exposures database of product security flaws – ends Wednesday.
The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as CVE-2014-0160 and CVE-2017-5754, for specific vulnerabilities, in this case OpenSSL's Heartbleed and Intel's Meltdown, so that when referring to particular flaws and patches, everyone is agreed on exactly what we're all talking about.
It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.
CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk
While the whole world's vulnerability management efforts aren't going to descend into chaos overnight, there is a concern that in a month or two they may. The lack of US government funding means that, unless someone else steps in to fill the gap, this standardized system for naming and tracking vulnerabilities may falter or shut down, new CVEs may no longer be published, and the program's website may go offline.
Not-for-profit outfit MITRE has a contract with the US Department of Homeland Security to operate the CVE program, and on Tuesday the group confirmed this arrangement has not been renewed. This comes as the Trump administration scours around the federal government for costs to trim.
"On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire," Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland, told The Register.
"The government continues to make considerable efforts to support MITRE's role in the program and MITRE remains committed to CVE as a global resource," Barsoum added.
The Common Weakness Enumeration program is a centrally managed database of bug types.
The expiration came to light after a letter sent to CVE program board members was leaked on Bluesky. In that memo, Barsoum confided:
Historical CVE records will at least remain available at GitHub.
"CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk," Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft's vulnerability disclosure program, told The Register.
"All industries worldwide depend on the CVE program to keep their heads above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills," Moussouris said.
It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently a few hundred across 40 countries — is asked to assess the vulnerability report and assign a unique CVE identifier for the flaw if and as necessary.
The program is sponsored, and largely funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security.
"I can say that, having been in this industry for longer than CVEs themselves, it won't be good," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register.
I can say that, having been in this industry for longer than CVEs themselves, it won't be good
"Before CVEs, each company referred to vulnerabilities using their own vernacular," he added. "Customers were confused about whether they were protected or impacted from a particular bug. And was a time when there were much fewer companies and infinitely fewer bugs."
To put this in perspective: More than 40,000 new CVEs were published last year.
"If MITRE were to lose funding for the CVE, we can expect considerable confusion again until someone else picks up the flag," Childs continued, noting that this would require some sort of industry consortium — but nothing along those lines currently exists.
"Vulnerability management will become a mess as enterprises struggle to confirm they are in compliance with regulations and directives," he said. "Let's hope this is resolved quickly."
VulnCheck, a private vulnerability intel company that is also a CVE Naming Authority, aka CNA, on Tuesday said it has proactively reserved 1,000 CVEs for 2025.
Still, this only preserves the functionality of the program for a couple months at best.
The security industry needs to step in to fill the void
"MITRE, as a CNA, issues between 300-600 CVEs each month, so by reserving 1,000 hypothetically, we can assign a CVE to vulnerabilities for 1-2 months as long as the core service continues," Patrick Garrity, security researcher at VulnCheck, told The Register.
"The CVE program is a critical resource globally used by nearly every organization in the world, so the implications of a pause will have downstream implications for security tooling, security teams, and every organization that cares about security," he added.
"It would be terrible to see government funding for the CVE program go away, but we also believe that this is a time when the security industry needs to step in to fill the void." ®