The country's top cybersecurity agency at the last minute is continuing funding for Mitre Corp.'s program for managing the security vulnerability database that cybersecurity researchers around the globe rely on.
A
letter circulated on social media Tuesday afternoon said the contract with the Department of Homeland Security (DHS) – via CISA – would run out on Wednesday, April 16, 2025, and MITRE executives confirmed the situation in statements to the media.
News of the development rippled through a cybersecurity industry worried that the loss of MITRE’s Common Vulnerabilities and Exposures (CVEs) would further hamper the work of security vendors, analysts, and MSSPs already dealing with the fallout of other moves by the Trump administration that have weakened the nation’s defenses.
However, a CISA spokesperson in a statement this morning
told media outlets that it had "executed the option period on the contract to ensure there will be no lapse in critical CVE services," adding that "the CVE Program is invaluable to cyber community and a priority of CISA."
The announcement could help ease at least some of the concerns from those in the cybersecurity community who worried that federal agencies, businesses, and critical infrastructure organizations that rely on the CVE database for identifying vulnerabilities and defending against attacks that exploit them would be even more exposed to the ever-growing number of threats posed by nation-states like China and Russia and financially motivated threat groups.
It also came hours after members of the CVE Board that is part of MITRE's CVE operation announced the creation of a new, non-profit organization that would continue the work of keeping the CVE database up-to-date and relevant.
Wide-Reaching Impacts
In the
letter on social media, Yosry Barsoum, vice president of MITRE and director of the Center for Securing the Homeland, laid out the situation for members of the CVE Board, telling them that “if a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all matter of critical infrastructure.”
The letter set off an outcry from security professionals.
“MITRE CVE, [MITRE] CWE [Common Weakness Enumeration], the [NIST] NVD [National Vulnerability Database], and the alerts and notifications that flow from them are not just tools, they are part of the critical infrastructure that underpins our nation’s cybersecurity,” Fred Wilmot, co-founder and CEO of adversary exposure validation company Detecteam, wrote on LinkedIn. “The fact that we’re even debating continued funding for this work – without a resilience or continuity plan – is deeply concerning.”
Wilmot described the various programs as the “ecosystem that connects vulnerability management, threat modeling, incident response, and readiness across public and private sectors. It’s the connective tissue between products, security programs, and our shared understanding of risk. Public companies can and should carry some of the weight. But this is a national defense issue.”
'It's an Amputation'
Gunnar Porada, CEO of Swiss cybersecurity company InnoSec GmbH, wrote on the social media site that while no security analyst should rely solely on CVE for their work – they need broader context, deeper data, and real-time threat intelligence – CVE has been the “backbone for tooling, coordination, and structured response across the industry.”
“Cutting it like this isn’t evolution. It’s amputation,” Porada wrote. “And we all know what happens when you sever critical nerves in the middle of an incident.”
“Think of the CVE system like the Dewey Decimal System for cybersecurity,” former CISA director Jen Easterly
wrote. “It’s the global catalog that helps everyone – security teams, software vendors, researchers, governments – organize and talk about vulnerabilities using the same reference system.”
Without it, there’s chaos, with security researchers working off different information and wasting time figuring out what’s wrong, and that’s an environment that bad actors thrive in, Easterly wrote.
Historical CVE Data Goes to GitHub
Once the contract ends, MITRE will not be able to add new CVEs to the database, and the program’s website eventually will disappear, a MITRE spokesperson
told news outlets. Historical CVE records will be housed on GitHub, the spokesperson said.
“If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities,” said Greg Anderson, founder and CEO of DefectDojo, a unified vulnerability management company and DevSecOps platform provider. “The security community relies on standardizations to be able to quickly communicate about emerging threats and new vulnerabilities. Security professionals are going to have to gather and consolidate information in a piecemeal fashion without CVEs as a central repository, which costs valuable time that could be spent addressing the issues.”
Detecteam’s Wilmot called for leadership to address the situation, adding that “policymakers and stakeholders must fully understand the risk of tearing at this fabric. Because while we pause to debate, adversaries do not.”
Executives for VulnCheck, an exploit intelligence company, said in a statement that they are monitoring the MITRE situation and are “committed to supporting the CVE program and to maintaining MITRE’s adherence to a well-run program” that benefits the wider cybersecurity ecosystem. The company, whose products include exploit, vulnerability, initial access, and IP intelligence, also said it is making its
CVE reporting service available to bridge any disruption to MITRE’s CVE program.
“We recognize the critical role that the CVE program plays in the cybersecurity ecosystem, and we are actively preparing for any potential disruptions,” Anthony Bettini, founder and CEO of VulnCheck,
said in a statement.
Foundation Aims to Stem the Bleeding
This morning,
a new foundation launched in response to MITRE's news. The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, according to a statement from the Bremerton, Washington-based organization.
A coalition of longtime, active CVE Board members has spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation, the foundation explained. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation, in a statement. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The formation of the CVE Foundation aims to eliminate a single point of failure in the vulnerability management ecosystem and ensure the CVE Program remains a globally trusted, community-driven initiative. For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape.
Over the coming days, according to the statement, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community.
Cybersecurity Industry Under Siege
This is the latest blow to a cybersecurity industry that feels the full force of the Trump administration’s push to slash government funding. CISA has already gone through one round of layoffs and reportedly could see another 1,300 jobs cut in the coming days. The president also recently fired the head of the National Security Agency and ordered an investigation into former CISA director Chris Krebs for disputing Trump’s claim that the 2020 election, which he lost to Joe Biden, was rigged.
“The cyber industry as a whole is in trouble,” cybersecurity expert Kevin Beaumont, director of emerging threats at The Arcadia Group,
wrote on LinkedIn. “It’s the elephant in the room – the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.”
