The widely-used Common Vulnerabilities and Exposures (CVE) program was facing a standstill due to a lack of funding for The MITRE Corporation (MITRE), the non-profit that manages it. However, a last-minute contract extension seems to have spared it for about another year.
MITRE, which has its headquarters in the US, has relied on federal funding for decades. Its contract for the development of the CVE program ended on April 16. The contract extension, put in place just before the deadline, grants it at least 11 more months of life. That extension relied on CISA unilaterally exercising an option available to it, however, and the program’s future remains in doubt beyond March 2026.
CVE program remains active until March, may need alternative sources of funding beyond that
The CVE program has been in operation since 1999 and serves as a valuable reference for disclosed vulnerabilities. The termination of it could cause serious repercussions across the cybersecurity landscape, with the systems that defense teams, vendors and impacted parties use to communicate about developing threats potentially thrown into communications chaos. It could also put an end to the Common Weakness Enumeration program, used to document hardware and software weaknesses that have not been classed with vulnerability status.
A letter from MITRE VP and Director Yosry Barsoum to the organization’s board that was leaked on April 15 indicates that there is currently no word on future government funding of the CVE program. The US government (specifically the Department of Homeland Security) is not its only source of funding, but is substantial enough that it would grind the program to a halt for at least some period of time. MITRE has already laid off 440 employees this year, in part due to the slashing of federal budgets that has taken place thus far under the Trump administration and the loss of a total of $28 million in contracts thus far.
It does not appear that there will be an interruption to the CVE program with the application of the extension, but it also appears to be a one-time emergency option for CISA. The existing CVE catalog remains available on GitHub regardless, but future documentation could require the program to look to either private funding or backing from a government in Europe or elsewhere.
CVE program caught in crossfire of Trump assault on CISA and related agencies
The current cost for the CVE program is $57.8 million according to the public contract details. The organization’s board has apparently had concerns about government funding that date back to well before the election of Trump, however. A recent letter issued by its board members indicates that they have been working for a year now to transition the CVE program to a funding model not reliant on the support of one state sponsor. The general plan seems to be to found a new non-profit called the CVE Foundation that will take over development and management of the program, which can be funded by yet-to-be-determined sources. The board says that more detail about the new foundation’s structure will be released soon.
This change may have been spurred by Trump’s longtime targeting of former CISA head Chris Krebs. Trump believes that Krebs used his position in a politically partisan manner by labeling speech about the 2020 election results and the Covid-19 pandemic as “disinformation” and working in cooperation with social media platforms to suppress it. Trump has since stripped Krebs of his security clearance, and is rumored to be targeting cuts of 1,300 employees at CISA as well as 40% of its body of contractors.
The timing of the CVE program funding struggles is particularly inopportune as the National Institute of Standards and Technology (NIST) has announced that it is having serious problems clearing the mounting backlog of CVEs in the National Vulnerability Database (NVD). The NVD is able to move at the same cataloging pace as it did a year ago, but the amount of reports has jumped by 32% and it has not been able to make up the funding and staffing shortfall. It also projects that this workload is only going to increase even more throughout 2025, but it has said that it is working on implementing AI applications to assist with processing.
Casey Ellis, Founder at Bugcrowd, notes that continued US funding past early 2026 is not entirely out of the question as disruption of the CVE program represents a real national security threat given how federal agencies and critical infrastructure organizations rely on it: “Hopefully this situation gets resolved quickly. CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”
Jason Soroko, Senior Fellow at Sectigo, adds: “A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”
Darren Guccione, CEO and Co-Founder at Keeper Security, expands on the likely impact to national security should the CVE program suddenly lose its funding: “Focus on critical cybersecurity programs should be prioritized now, more than ever, in the face of growing threats from malicious nation-states and cybercriminals. The CVE funding scare comes at a time when cyber threats are growing in both volume and sophistication. Nation-state actors – particularly from China, Russia, Iran and North Korea – continue to engage in persistent cyberespionage and disruption campaigns against U.S. interests. Ransomware gangs and cybercriminal syndicates exploit known vulnerabilities to steal, extort, and disrupt organizations. Now is the time for our government to invest in cybersecurity programs and solutions that increase our nation’s readiness and resilience. Along with vulnerability identification and disclosure, modern frontline tools such as cloud-based password and privileged access management should be funded and implemented, as the bedrock of protection for US businesses, government and critical infrastructure alike.”
