Critical funding for the Common Vulnerabilities and Exposures database, set to expire on Wednesday, has been renewed in full, the US Cybersecurity and Infrastructure Security Agency (CISA) has announced. So, was there a real threat to the MITRE-led program ending, or just government business as usual?
"The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience," a spokesperson for the agency said.
Directly funded by the US Department of Homeland Security, the CVE program contract will run for the next 11 months, CISA said.
According to its website, the non-profit CVE Program's mission is to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. " Currently, over 298,000 vulnerabilities are in the database, with one CVE Record for each vulnerability in the catalog.
“This isn’t just about MITRE or funding, it’s about weakening a system that protects everyone. The CVE program isn’t just a database. It’s the backbone of how the cybersecurity world communicates about vulnerabilities,” said Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite.
Built and maintained over decades by researchers, CNAs, vendors, MITRE, NIST, and defenders, Dikbiyik said the CVE program is a shared responsibility that brings “clarity, consistency, and coordination to a chaotic space.”
undefined Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
Dikbiyik acknowledged that the contract extension was good news. “As of this morning, MITRE’s CVE program is still functioning. Politics move fast. And sometimes, it feels like chess moves on a checkerboard, while someone rolls dice,” he said.
Still the chief researcher noted that although “There’s no overnight collapse – yet. We need to raise our voices now, before we lose something foundational.”
MITRE leaks letter to CVE Board
On Tuesday, a “leaked” letter addressed to a CVE Board member, written by the MITRE Corporation – the cybersecurity firm that has been managing the database since its inception in 1999 – warned of the potential lapse in funding.
The CVE Board is said to include members from cybersecurity heavyweights such as Microsoft, Intel, Crowdstrike, Palo Alto, Red Hat, and more.
“On Wednesday, April 16th, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” it said.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter continued, signed by Yosry Barsoum, VP and Director of MITRE’s Center for Securing the Homeland (CSH).
BREAKING.
undefined Tib3rius (@0xTib3rius) April 15, 2025
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members. pic.twitter.com/CHi74EIRt7
Panic ensues in the security world
The publicly disclosed cybersecurity vulnerabilities, aka CVE records, are universally shared throughout the security community to help fix bugs, hacks, and prevent attacks.
The threat of the database going dark had security insiders in a panic on Tuesday.
"MITRE’s program is currently the most widely used CVE database, making it difficult for organizations to find a suitable alternative. Vendor-specific vulnerability databases or the National Vulnerability Database are reasonable alternatives, but neither are as comprehensive or streamlined as MITRE’s program," said Kevin Robertson, CTO of Acumen Cyber.
The CTO said shutting down the CVE program would have been a “tragic blow to the cybersecurity community” and had a “serious impact on vulnerability management across the entire globe.”
“Security researchers are rushing to archive CVEs before the plug gets pulled,” said one healthcare tech professional, joining dozens on X expressing their concern about the imminent shutdown. “Major red flag for cybersecurity. The fallout could be huge and messy,” another open-source engineer and X user commented.
However, Robertson also said he expected a vendor would have come forward to save the day. “MITRE’s CVE program provides too much value to our community for it to be lost entirely,” he said, adding that it would have been more of a “‘see you soon’ rather than a permanent goodbye.”
Vx-Underground, a malware repository, actually did downloaded a backup of the entire CVE catalog, posting it on GitHub as a precautionary measure.
Hi,
undefined vx-underground (@vxunderground) April 16, 2025
We've archived the MITRE CVE database. The CVE DB is free and open source on GitHub. However, we're providing a backup location for the data. We doubt it'll magically disintegrate in ash, but if it does we have a copy.https://t.co/BFvcxeQvWn
"We've archived the MITRE CVE database. The CVE DB is free and open source on GitHub. However, we're providing a backup location for the data. We doubt it'll magically disintegrate in ash, but if it does we have a copy," vx-Underground said.
Still, it appears that some cyber professionals took the letter with a grain of salt, stating that the DHS contract was typically renewed annually sometime on April 16th or 17th. “There's a lot going on in both CVE and the community, so I wouldn't bank on the sky falling,” an X user posted.
Your email address will not be published. Required fields are markedmarked