CVE Program Faces Shutdown as U.S. Government Funding Expires

The Common Vulnerabilities and Exposures (CVE) program is a cornerstone of global cybersecurity infrastructure. Now this program is on the brink of discontinuation due to the expiration of U.S. government funding. Since it began in 1999, the CVE program has been run by the nonprofit MITRE Corporation. It gives each known cybersecurity vulnerability a unique ID, helping the tech industry track and fix issues more easily.

This random document fell off the back of a bus. Weird.

This random document which randomly fell off the back of a bus (randomly) says MITRE is no longer supporting the CVE program as of April 16th, 2025. Which is crazy, because this random document is dated April 15th, 2025. pic.twitter.com/mpcw1sDEpv

— vx-underground (@vxunderground) April 15, 2025

 

The lapse in funding also threatens the Common Weakness Enumeration (CWE) program, which catalogs hardware and software weaknesses. MITRE's contract with the Department of Homeland Security (DHS) is set to expire on April 16, 2025, and no renewal has been confirmed as of yet. This development has raised alarms among cybersecurity professionals worldwide, who rely on the CVE system for standardized vulnerability identification and communication.

The potential discontinuation of the CVE program could have far-reaching consequences. Security expert Lukasz Olejnik warned that the absence of CVE could lead to "total chaos" in cybersecurity defenses, as coordination between vendors, analysts, and defense systems would be severely hindered.

By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE. What is CVE? It is a global system for identifying and tracking vulnerabilities that has served as a common language for… pic.twitter.com/WBCdLz0DdT

— Lukasz Olejnik (@lukOlejnik) April 15, 2025

 

Sasha Romanosky, a senior policy researcher at the Rand Corporation, described the situation as "tragic," emphasizing that CVE naming and assignment are foundational to the software vulnerability ecosystem. Without it, tracking newly discovered vulnerabilities and making informed decisions regarding patching would be significantly deformed.

Organizations like VulnCheck have expressed intentions to support the CVE program through potential contract transitions in response to the impending shutdown. However, the specifics of these efforts remain unclear, and the immediate future of the CVE program is uncertain.

VulnCheck to Support the CVE Program Through Potential Contract Transition https://t.co/P9rvVwxqPs pic.twitter.com/wGEA5hqGfD

— Latest News from Business Wire (@NewsFromBW) April 15, 2025

 

The Cybersecurity and Infrastructure Security Agency (CISA), the primary sponsor for the CVE program, acknowledged the situation, stating that while the contract with MITRE will lapse after April 16, efforts are underway to mitigate the effect and maintain CVE services.