2018春节专题：瑞犬迎新春 两岸庆吉祥

Important update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program.

A CISA spokesperson sent CSO a statement saying, “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” Sources say the contract extension will last 11 months.

Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, commented: “Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE®) Program and the Common Weakness Enumeration (CWE™) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”

April 15, 2025: In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.

Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, wrote in a missive to the CVE board, “On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource.”

End of CVE program seen as ‘tragic’

Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as “tragic,” a sentiment echoed by many cybersecurity and CVE experts reached for comment.

“CVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based,” Romanosky said. “Without it, we can’t track newly discovered vulnerabilities. We can’t score their severity or predict their exploitation. And we certainly wouldn’t be able to make the best decisions regarding patching them.”

Ben Edwards, principal research scientist at Bitsight, told CSO, “My reaction is sadness and disappointment. This is a valuable resource that should absolutely be funded, and not renewing the contract is a mistake.”

He added “I am hopeful any interruption is brief and that if the contract fails to be renewed, other stakeholders within the ecosystem can pick up where MITRE left off. The federated framework and openness of the system make this possible, but it’ll be a rocky road if operations do need to shift to another entity.”

MITRE’s CVE program foundational to cybersecurity

MITRE’s CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders’ vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.

Although the National Institute of Standards and Technology (NIST) enriches the MITRE CVE records with additional information through its National Vulnerability Database (NVD), and CISA has helped enrich MITRE’s CVE records with its “vulnrichment” program due to funding shortfalls in the NVD program, MITRE is the originator of the CVE records and serves at the primary source for identifying security flaws.

“If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale,” Brian Martin, vulnerability historian, CSO of the Security Errata project, and former CVE board member, wrote on LinkedIn.

“First, the federated model and CVE Numbering Authorities (CNA) can no longer assign IDs and send info to MITRE for quick publication. Second, all of that is the foundation for the National Vulnerability Database (NVD), which is already beyond struggling, with a backlog of over 30,000 vulnerabilities and the recent announcement of over 80,000 ‘deferred’ (meaning will not be fully analyzed by their current standards).”

Martin added, “Third, every company that maintains ‘their own vulnerability database’ that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China’s and Russia’s, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program.”

Why is the contract ending?

It’s unclear what led to DHS’s decision to end the contract after 25 years of funding the highly regarded program. The Trump administration, primarily through Elon Musk’s Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program.

Although CISA has already been through two funding cuts, press reports suggest that nearly 40% of the agency’s staff, or around 1,300 employees, are still slated for termination. However, sources say that compared to the budget cuts made elsewhere in the federal government, the expense of running the CVE program are minor and “won’t break the bank.”

What happens next?

Sources close to the CVE program say that starting at midnight on April 16, MITRE will no longer add records to its CVE database. However, historical CVE records will be available on GitHub.

The real question is whether a private sector alternative to MITRE’s program emerges.

“It’s difficult to speculate on what services could be impacted reading the note from MITRE,” Patrick Garrity, a security researcher at threat intelligence firm Vulncheck, told CSO. “The current vulnerability ecosystem is fragile after seeing NIST NVD’s failure last year, and any impacts to the CVE Program could have detrimental impacts on defenders and the security community. VulnCheck remains committed to helping fill any gaps that might arise.”

Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”

A CISA spokesperson told CSO, “CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation’s critical infrastructure at risk.  Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”

This article was originally published April 15, titled “CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo.” It has been updated to reflect the latest announcements about CVE.