Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Uncertainty surrounds continued funding for MITRE’s soon-to-expire CVE contract, and its impact could disrupt vulnerability tracking and incident response.
The not-for-profit MITRE Corporation has sent a letter to its CVE board members warning that funding uncertainties may lead to serious disruptions in its CVE Program.
The letter – dated 15 April and from the vice president and director of the Centre for Securing the Homeland, Yosry Barsoum – was written to make members “aware of an important potential issue with MITRE’s enduring support to CVE.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernise CVE and several other related programs, such as CWE, will expire,” Barsoum said.
“The government continues to make considerable efforts to continue MITRE’s role in support of the program.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, slowed vendor reaction, limited response operations, and all manner of critical infrastructure.”
There is currently no information on whether the required funding will be provided.
The CVE Program – CVE stands for common vulnerabilities and exposures – was established in 1999 and aims to “identify, define, and catalogue publicly disclosed cyber security vulnerabilities”, according to the CVE Program website.
As vulnerabilities are discovered and disclosed, they receive a CVE number – for instance, CVE-2025-1974, a vulnerability in Kubernetes Ingress-NGINX Controllers that the ACSC issued a critical alert regarding last month. This creates a standardised process for understanding and tracking the severity of any given vulnerability.
Not only is the CVE system itself vital to monitoring vulnerabilities, but it is also hardwired into many security information and event management, or SIEM, platforms, which are used to detect and analyse threats in most network environments.
While MITRE is warning its board members of possible national disruptions, the implications of disruption in maintaining the CVE database could have a global impact.
“CVE is the language of vulnerabilities and exposures, so without it, we do not know what might take its place. There may be several competing solutions, but unless one emerges as the frontrunner, we may end up with a situation like we have with the naming of threat actors where there is no uniformity in names," Satnam Narang, sr. staff research engineer at Tenable, told Cyber Daily.
“Plus, the CVE Program provides a centralised space for tracking the assignment of CVEs, which many organisations have come to rely on. We’re continuing to monitor the developments around the planned expiration of funding.”
Contracts worth US$28 million have already been cancelled by the Trump administration as part of a federal efficiency drive, and MITRE has already laid off more than 400 employees this month.
UPDATED to add Tenable commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
