What's MITRE and What's Going On?
What happened? A guide for everyone.
A cornerstone of global cybersecurity—the Common Vulnerabilities and Exposures (CVE) program—is facing an uncertain future as its federal funding is set to expire on April 16, 2025. Managed by the MITRE Corporation since its inception in 1999, the CVE program assigns unique identifiers to publicly disclosed cybersecurity vulnerabilities, enabling consistent tracking and management across the industry. The program's potential lapse has raised significant concerns among cybersecurity professionals and organizations worldwide.
What are CVEs?
The CVE program serves as a standardized system for identifying and cataloging cybersecurity vulnerabilities. Each vulnerability is assigned a unique CVE identifier, such as CVE-2024-12345, allowing organizations, vendors, and researchers to reference and address specific issues consistently. This system is integral to the coordination of vulnerability disclosures, patch management, and the development of security tools.
MITRE's role in the CVE program has been pivotal, overseeing the assignment of CVE identifiers and maintaining the central database that supports a vast ecosystem of cybersecurity stakeholders. The program's influence extends to various sectors, including government agencies, private enterprises, and critical infrastructure operators.
Tens of thousands of security flaws in software are found and reported every year, and these vulnerabilities are eventually assigned their own unique CVE tracking number. For example, CVE-2024-23049 represents the infamous Symphony vulnerability that was patched last year. This standardized approach allows security professionals to communicate clearly about specific vulnerabilities.
How Does the CVE System Work?
There are hundreds of organizations — known as CVE Numbering Authorities (CNAs) — that are authorized by MITRE to assign these CVE numbers to newly reported flaws. Many of these CNAs are country and government-specific, or tied to individual software vendors or vulnerability disclosure platforms (also known as bug bounty programs).
The CVE system functions as a critical pipeline of information that feeds into an array of cybersecurity tools and services. These tools help organizations identify and patch security holes before malicious actors can exploit them. As Matt Tait, chief operating officer of Corellium, explained, "What the CVE lists really provide is a standardized way to describe the severity of that defect, and a centralized repository listing which versions of which products are defective and need to be updated."
Former CISA Director Jen Easterly aptly compared the CVE program to the Dewey Decimal System, but for cybersecurity: "It's the global catalog that helps everyone—security teams, software vendors, researchers, governments—organize and talk about vulnerabilities using the same reference system. Without it, everyone is using a different catalog or no catalog at all, no one knows if they're talking about the same problem, defenders waste precious time figuring out what's wrong, and worst of all, threat actors take advantage of the confusion."
The Current Crisis
In a letter sent to the CVE board, MITRE Vice President Yosry Barsoum warned that on April 16, 2025, "the current contracting pathway for MITRE to develop, operate and modernize CVE and several other related programs will expire." The letter further cautioned that a break in service would likely cause "multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."
MITRE has confirmed that while the CVE website listing vulnerabilities will remain accessible after the funding expires, new CVEs won't be added after April 16. This creates a significant gap in the ongoing identification and tracking of new security vulnerabilities.
Implications of the Funding Expiration
The expiration of MITRE's contract with the Department of Homeland Security (DHS) threatens to disrupt the continuity of the CVE program. Without renewed funding, MITRE will cease assigning new CVE identifiers, and the central repository may no longer be updated. While historical CVE records will remain accessible, the absence of new entries could lead to inconsistencies in vulnerability tracking and hinder coordinated responses to emerging threats.
Experts warn that this disruption could have far-reaching consequences. Lukasz Olejnik, a security and privacy researcher, emphasized that the lack of support for CVE could "cripple" cybersecurity systems globally, leading to a breakdown in coordination among vendors, analysts, and defense systems. Similarly, Casey Ellis, founder of cybersecurity firm Bugcrowd, noted that a sudden interruption in CVE services could escalate into a national security concern.
John Hammond, principal security researcher at the managed security firm Huntress, expressed his alarm at the news, stating that losing the CVE program would be like losing "the language and lingo we used to address problems in cybersecurity." The sentiment "I really can't help but think this is just going to hurt" reflects the widespread concern in the cybersecurity community.
Broader Context and Future Outlook
The potential lapse in the CVE program occurs amid broader budgetary constraints affecting U.S. cybersecurity initiatives. The Cybersecurity and Infrastructure Security Agency (CISA), the primary sponsor of the CVE program, is reportedly working to mitigate the impact and maintain essential services. However, the lack of clarity regarding future funding and management raises questions about the program's sustainability, especially as CISA itself faces deep budget and staffing cuts.
Losing the CVE program would be like removing all street signs and house numbers from a city overnight—suddenly, emergency services wouldn't know where to go, mail carriers couldn't deliver packages, and visitors would get hopelessly lost. In the digital realm, this confusion could lead to unpatched vulnerabilities and increased security risks across the board.
Without the CVE program, risk managers inside companies would need to continuously monitor many other sources for information about new vulnerabilities that may jeopardize the security of their IT networks. As Matt Tait noted, "It may become more common that software updates get mis-prioritized, with companies having hackable software deployed for longer than they otherwise would... Hopefully they will resolve this, but otherwise the list will rapidly fall out of date and stop being useful."
Sources close to the matter have indicated that this is not the first time the CVE program's budget has been left in funding limbo until the last minute. Barsoum's letter did sound a hopeful note, saying the government is making "considerable efforts to continue MITRE's role in support of the program."
Conclusion
The CVE program's role in global cybersecurity cannot be overstated. Its standardized approach to vulnerability identification and tracking is essential for effective risk management and threat mitigation. As the program faces the prospect of a funding lapse, stakeholders across the cybersecurity landscape must consider the implications and explore strategies to preserve this critical infrastructure. The coming months will be crucial in determining whether this vital cybersecurity resource continues to serve its essential function in our increasingly interconnected digital world.