On April 16, 2025, the global cybersecurity community held its collective breath as news broke that funding for the Common Vulnerabilities and Exposures (CVE) Program had lapsed. Operated by MITRE under contract with the U.S. Department of Homeland Security (DHS), the CVE Program has, for over 25 years, served as a foundational resource for identifying and cataloging security vulnerabilities across the world.
Following the expiration of the contract, MITRE confirmed it had not received renewal authorization from DHS, triggering concern and uncertainty across the global cybersecurity landscape. The CVE system’s abrupt jeopardy was widely seen as a symptom of broader budgetary constraints and policy shifts within the U.S. government.
However, in a crucial last-minute development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the extension of MITRE’s contract. “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services,” a CISA spokesperson confirmed via email.
This temporary extension, reportedly lasting 11 months, secures short-term continuity—but long-term sustainability remains in question.
The Formation of the CVE Foundation
The crisis has galvanized the cybersecurity community to reduce its dependence on a single funding source. In response, a coalition of seasoned CVE Board members formally established the CVE Foundation, a non-profit body designed to safeguard the future of the CVE Program.
According to its founding statement, the CVE Foundation aims to “ensure the long-term viability, stability, and independence” of this critical infrastructure. The move seeks to address longstanding concerns regarding the sustainability and neutrality of the CVE system under the sole stewardship of the U.S. government.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the newly formed Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data daily—from threat intelligence to incident response.”
The creation of the Foundation represents a pivotal moment. It seeks to eliminate a single point of failure in vulnerability coordination by fostering a community-led, globally inclusive governance structure.
Why the CVE Program Matters
Launched in 1999, the CVE system provides standardized identifiers (CVE IDs) for publicly known cybersecurity vulnerabilities. Managed by MITRE and supported through U.S. government funding, the system plays a vital role in vulnerability management, threat intelligence, and patch prioritization.
CVE identifiers are used by virtually every major security tool and vulnerability management system. They also underpin the U.S. National Vulnerability Database (NVD), maintained separately by the National Institute of Standards and Technology (NIST).
“The CVE database is critical for anyone doing vulnerability management or security research,” cybersecurity journalist Brian Krebs noted. “There isn’t really anyone else who does this—certainly not at the scale and with the rigor of CVE.”
An interruption in the CVE system would place a heavy burden on global cybersecurity operations, especially in rapid response to zero-day vulnerabilities such as Heartbleed or Log4Shell.
Industry Response and Recommendations
The uncertainty surrounding MITRE’s contract underscored the risks of overreliance on a single institutional source. It prompted calls for decentralization and greater community involvement.
“While the immediate impact may have been minimal, such a scenario would be advantageous to adversaries,” warned Ian Thornton-Trump, CISO of Inversion6. “Without a central mechanism to track vulnerabilities, the cybersecurity community could face serious gaps in its defensive posture.”
William Wright, CEO of Closed Door Security, echoed similar sentiments: “Cutting CVE program funding would be a huge blow. Many ransomware attacks and breaches begin with known but unpatched vulnerabilities. Without CVE, organizations lose a critical line of defense.”
Experts emphasize the need for resilience through diversification. Jamie Akhtar, CEO of CyberSmart, advises organizations to integrate additional sources of threat intelligence such as:
- CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- NIST’s National Vulnerability Database
- GitHub Security Advisories
- Open Source Vulnerability (OSV) feeds
- Vendor-specific vulnerability portals
In parallel, security teams should assess how heavily their tools and workflows depend on standardized CVE data and plan accordingly.
Looking Forward
For now, the CVE Program is safe. The funding extension ensures that vulnerability tracking continues without disruption. Yet the episode highlights a critical lesson: global cybersecurity infrastructure must be resilient, decentralized, and community-driven.
The CVE Foundation’s emergence is a promising development. By transitioning stewardship to an independent non-profit, it may ensure the CVE Program’s neutrality, transparency, and longevity—far beyond the shifting priorities of any single nation.
Organizations and cybersecurity leaders must remain vigilant. While this crisis has been averted, the future of vulnerability coordination depends on a shared commitment to open, reliable, and collaborative frameworks. As the cybersecurity threat landscape grows more complex, so too must our infrastructure evolve to meet it.