The Common Vulnerabilities and Exposures (CVE) program—a cornerstone of global cybersecurity infrastructure—is facing major changes after its longtime operator, MITRE, announced that federal funding had lapsed as of April 16, 2025. The lapse prompted widespread concern from cybersecurity professionals, software vendors, and government officials who depend on CVE data to identify and manage software and hardware vulnerabilities.
What Is CVE and Why It Matters
The CVE program, developed and managed by MITRE under contract with the U.S. Department of Homeland Security (DHS), assigns unique identifiers to newly discovered security flaws in software and firmware. These identifiers—such as CVE-2024-43573—allow vendors, defenders, and researchers to speak a common language about vulnerabilities across platforms and tools.
The CVE database supports a broader ecosystem of cybersecurity capabilities, including patch management, security scanning, intrusion detection, and threat intelligence. As former CISA Director Jen Easterly once described it, CVE functions as “the Dewey Decimal System for cybersecurity,” providing consistency and clarity across the industry.
MITRE’s Contract Expiration and Warning Letter
On April 15, MITRE Vice President Yosry Barsoum sent a letter to the CVE Board warning that the organization’s contract to manage and modernize the CVE program would expire the following day. The letter cited potential disruptions to vulnerability coordination, threat advisories, automated patching tools, and incident response processes if the service were to be interrupted.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter stated.
MITRE also clarified that while the CVE website would remain live, no new CVE identifiers would be issued until further funding or a structural alternative was in place.
Industry Reaction: Alarm and Urgency
The response from the cybersecurity community was swift and vocal. Security researchers expressed concern about the potential fragmentation of vulnerability tracking and the increased difficulty of coordinating patch cycles without a standardized system like CVE.
John Hammond, principal researcher at Huntress, said the potential shutdown felt like losing “the language and lingo we use to address problems in cybersecurity.” Others noted that the lapse could force organizations to rely on vendor-specific disclosures, increasing confusion and slowing down response times to emerging threats.
“This isn’t just an inconvenience,” said Matt Tait, COO at Corellium. “Without CVE, patch prioritization becomes more difficult, security tools lose consistency, and risk managers have to monitor multiple fragmented sources to track vulnerabilities.”
A Rapid Turnaround: The CVE Foundation Is Born
Just hours after the funding lapse, the CVE Board announced the formation of a new nonprofit, The CVE Foundation, to continue the program’s operations independently of the U.S. government. The foundation’s mission will be to maintain and evolve CVE as a global public good, free from reliance on a single federal sponsor.
“While the program has grown tremendously under U.S. government support, its dependence on a single funding stream has created long-standing concerns about sustainability and neutrality,” the board wrote in a press release. “The foundation model allows us to address those concerns directly.”
The foundation’s website, thecvefoundation.org, is now live, though at present it contains only the press announcement. More information on the foundation’s governance structure, membership, and transition plan is expected in the coming days.
Interim Support from MITRE
Later in the day on April 16, MITRE issued a separate statement confirming that it had secured “incremental funding” to keep the CVE and CWE (Common Weakness Enumeration) programs operational in the short term.
“We appreciate the overwhelming support expressed by the global cyber community, industry, and government,” the statement read. “MITRE remains committed to CVE and CWE as global resources, and we continue to work with the government and stakeholders to support a smooth transition.”
What’s Next?
The transition to a nonprofit foundation marks a significant shift in how one of the most relied-upon cybersecurity standards is managed. While the continuity of operations has been preserved for now, the episode has raised important questions about how critical cybersecurity infrastructure is funded and governed.
With the cybersecurity threat landscape continuing to evolve rapidly—and with CVEs playing a central role in everything from enterprise patch management to national critical infrastructure defense—how the foundation scales and sustains its operations will be closely watched.
The creation of the CVE Foundation may ultimately prove to be a necessary and overdue modernization of a program that has become too important to rely on year-to-year contract renewals. But for now, the cybersecurity community is breathing a cautious sigh of relief.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
