A critical cybersecurity lifeline is at risk as MITRE’s CVE program faces an uncertain future … More without renewed government funding.

getty

On April 16, a foundational piece of the world’s cybersecurity infrastructure may quietly grind to a halt.

MITRE’s stewardship of the Common Vulnerabilities and Exposures program—a backbone of coordinated vulnerability disclosure for more than two decades—is facing an uncertain future as its U.S. Department of Homeland Security contract expires. Without confirmed renewal or replacement, the industry risks entering a period of dangerous opacity in vulnerability tracking.

For the cybersecurity community, this isn’t a minor bureaucratic lapse. It’s a five-alarm fire.

What CVE and CWE Mean for Cybersecurity

For those outside the security trenches, it’s easy to overlook how essential the CVE and CWE – or Common Weakness Enumeration – programs have become. CVEs assign standardized identifiers to software vulnerabilities, making it easier for security researchers, vendors, and IT teams to communicate and prioritize fixes. The CWE program, a related effort, categorizes common coding errors that introduce those vulnerabilities in the first place.

Together, they form the connective tissue for a global ecosystem of security tooling and coordination. From vulnerability scanners to patch management systems and threat intel feeds, thousands of tools and workflows rely on up-to-date CVE data. Vendors use CVEs to issue advisories and coordinate disclosures. Security teams use them to track risks and drive remediation. Even government agencies like CISA and the DoD rely on CVEs as a core part of their threat modeling and defensive planning.

Which is why the looming shutdown is so alarming.

MITRE’s Contract Expires—and There’s No Backup Plan

MITRE has confirmed that its DHS contract to manage the CVE and CWE programs is set to lapse on April 16, 2025, and as of now, no renewal has been finalized. This contract, renewed annually, has funded critical work to keep the CVE program running, including updates to the schema, assignment coordination, and vulnerability vetting.

“Failure to renew MITRE’s contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption,” said Jason Soroko, Senior Fellow at Sectigo. “A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”

MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program—including assignment of new CVEs—will effectively go dark. That’s not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats.

A Single Point of Failure in a Global System

Greg Anderson, CEO and founder of DefectDojo, voiced what many in the community are feeling: “MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place.”

Anderson added a sobering thought experiment: “If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.”

He explained the risks of a fragmented landscape: “To illustrate, say a new vulnerability in encryption used across the internet emerges. Without the CVE program, one non-governing body may name the issue ‘The worst encryption flaw ever,’ but another non-governing body names the issue ‘A terrible encryption flaw,’ both not using the CVE-20XX-XXXX identification protocol. Without CVEs, how do we even know we’re talking about the same issue?”

Anderson warned that “security professionals are going to have to gather and consolidate information in a piecemeal fashion without CVEs as a central repository, which costs valuable time that could be spent addressing the issues.” He also noted that security professionals have to deal with an overwhelming volume of threats – 40,000+ CVEs that were found last year, plus older vulnerabilities which are still being exploited today.

“Losing CVEs and their database could result in a total collapse of how known vulnerabilities are assessed, communicated, and remediated today,” he concluded.

Government Scramble and Industry Alarm

MITRE has said that discussions with the U.S. government are active and that it remains committed to the CVE mission. But with the expiration date looming, time is running short—and the consequences of even a temporary gap are severe.

“Hopefully this situation gets resolved quickly,” said Casey Ellis, founder at Bugcrowd. “CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”

Across the cybersecurity ecosystem—from vendors to government agencies—the call is the same: resolve this, and fast.

This Is a Wake-Up Call

Whether funding is restored in time or not, this moment should serve as a wake-up call for the industry and policymakers alike. A program as vital as CVE should not be hanging by a thread every April. It needs stable, long-term funding and a robust governance model that ensures continuity, even in the face of bureaucratic delays or shifting political winds.

Cyber threats are evolving faster than ever. Shutting down the CVE program – even briefly – would be like turning off air traffic control mid-flight.

This isn’t just about maintaining a database. It’s about maintaining trust in the systems that protect us all.