MITRE's CVE Program Faces Funding Crisis
A leaked letter from MITRE to the CVE Board revealed that the Common Vulnerabilities and Exposures program is facing a funding crisis that could lead to service disruptions. The letter detailed the risk of global impacts on vulnerability management if federal funding is not renewed. The situation has spurred calls for a funding extension, but the outcome remains uncertain.
- The CVE program has been operational for over two decades, established in 1999 to create a standardized method for identifying and cataloging cybersecurity vulnerabilities. It is managed by the MITRE Corporation and has been historically funded by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). - At the last minute, CISA executed an 11-month contract extension in April 2025 to prevent a lapse in services, ensuring the program's continuity until at least March 2026. This was a temporary solution to what was described as a potential "disaster for security." - The potential disruption of the CVE program raised significant concerns about the erosion of trust in vulnerability management processes and the potential for fragmented or inconsistent reporting without a centralized system. Former CISA Director Jen Easterly compared losing the CVE system to "tearing out the card catalog from every library at once." - In response to the funding instability, a non-profit organization called the CVE Foundation was established by CVE board members to ensure the program's long-term viability and independence from a single government sponsor. - The number of published CVEs has seen a significant increase, rising nearly 40% from 28,818 in 2023 to 40,009 in 2024, highlighting the growing demand for the program's services. - CISA has released a strategic roadmap indicating plans for the program's future beyond the 2026 deadline, which includes exploring alternative funding sources and expanding participation from international partners, researchers, and the open-source community. However, the roadmap also states that privatization of the program is "not the answer." - The funding uncertainty is situated within a broader context of potential budget and staffing cuts at CISA under the current administration. The contract that was temporarily extended was valued at approximately $29-40 million. - A lapse in service would have led to multiple impacts, including the deterioration of national vulnerability databases, a halt in the assignment of new CVE identifiers, and significant challenges for security tool vendors and incident response operations.
