Update Apr. 16 at 10:55am EDT: This article, originally published at 06:03am EDT has been updated to include news of the new CVE Foundation. It was previously updated to reflect CISA’s extension of the contract with MITRE.
The U.S. government has reinstated for the global database of security flaws, the database after it expired on Apr. 16. It came after the not-for-profit organization that runs the database, MITRE, said its contract with the U.S. Department of Homeland Security to operate the CVE Program had not been renewed.
The potential end to the 25 year old — which is globally relied upon to identify and mitigate security flaws — was viewed by some experts as part of a cost-cutting drive by the Trump administration.
However, in an eleventh hour turnaround, the U.S. Cybersecurity and Infrastructure Security Agency said it had extended the contract with MITRE. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services,” a CISA spokesperson told me over email. “We appreciate our partners’ and stakeholders’ patience.”
It is thought CISA’s extension will last 11 months. It is not known what will happen after that.
The potential end to CVE program funding was certainly a concern — especially given how suddenly it seemed to have happened. Here is what happened, what it means for global security and what to do next.
What Happened And Why?
On Apr. 15, MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire, warning that it could be a disaster for security. The news came via a letter on social network BlueSky.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum in a letter published on Bluesky.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
Initially, CISA said it was “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
CISA later confirmed an extension to the MITRE CVE Program contract.
Enter The New CVE Foundation
Experts say the CVE program disruption has highlighted the issues with relying on a single source. “In many ways, a single source of major funding is perhaps its biggest vulnerability in itself, and it is too important globally to be that reliant,” says Andy Swift, cybersecurity assurance technical director at Six Degrees.
It comes as a new body is announced made up from a subset of the CVE Board, which said in a press release on Apr. 16 that it will break off to maintain the CVE Program.
“The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years,” the new body wrote in its .
Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the CVE Foundation said.
Referring to the letter from MITRE notifying the CVE Board that the U.S. government initially did not intend to renew its contract for managing the program, it added: “While we had hoped this day would not come, we have been preparing for this possibility.”
The coalition of longtime, active CVE Board members said it has spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. “The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide,” it said.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The formation of the CVE Foundation aims to eliminate “a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative.”
Why Is An End To CVE Program Funding Bad?
Known by all in the security community inside the U.S. and out, the CVE system is a global reference method for publicly-known security flaws.
Launched in 1999, the CVE system is maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security.
CVE IDs are listed on MITRE’s system as well as in the U.S. National Vulnerability Database.
The CVE database is “critical for anyone doing vulnerability management or security research,” and for “a whole lot of other uses,” security journalist Brian Krebbs wrote on . “There isn’t really anyone else left who does this, and it’s typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information, btw.”
America’s “abrupt pullback” from leadership roles “in this case coordinating the near global issue of CVEs for vulnerabilities” will “place a heavy burden on global cyber defenses,” says Ian Thornton-Trump, CISO at Inversion6.
It will impact global response capabilities to CVE exploitation such as “HeartBleed” among vulnerability and attack surface management companies, says Thornton-Trump.
Thornton-Trump concedes the immediate impacts might be “minimal” but says the move would be “helpful to our adversaries.”
Cutting the CVE program funding would be “a huge blow to the cybersecurity community,” says William Wright, CEO of penetration testing firm Closed Door Security. “Many of today’s ransomware attacks and data breaches are executed by adversaries exploiting vulnerabilities. Without a common destination to log vulnerabilities, so organizations can take steps to patch them, they could be more vulnerable to attack.”
So what does this all mean for the future? “CVE is the language of vulnerabilities and exposures, so without it, we do not know what might take its place,” says Satnam Narang, senior staff research engineer at Tenable. “There may be several competing solutions, but unless one emerges as the frontrunner, we may end up with a situation like we have with the naming of threat actors where there is no uniformity in names,” he adds.
“Plus, the CVE Program provides a centralised space for tracking the assignment of CVEs, which many organisations have come to rely on,” Narang says.
The CVE Funding Cut’s Impact On Global Cybersecurity
While things have changed since the initial announcement, the news might have been as bad as it seemed. It’s important to understand that MITRE does not operate the National Vulnerability Database, this is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. “This is an important distinction since most vulnerability scanners use the NVD as the source of vulnerabilities to do their scanning.”
While MITRE does assign CVEs IDs, the CVE Naming Authority can also do this, says Wright. “It is important to note that while MITRE is the source of CVE IDs, most security tooling leverages the National Vulnerability Database for their source of vulnerabilities. This is operated by NIST, and to the best of our knowledge at this time, the operation of this database will not be impacted.”
He says the recent news about MITRE’s contract would likely only have affected new vulnerabilities. “Historical vulnerabilities should not be affected. It’s important to call this distinction out, as there’s already been some confusion.”
CVE Funding Cut — What To Do Next
If MITRE CVE program funding was cut, another organization could step in, or countries might “band together to offer support,” says Closed Door Security’s Wright.
It is possible funding will move to one of the big players in global cybersecurity, or perhaps a consortium. “The health of the CVE MITRE database is undoubtedly of global benefit,” says Matt Saunders, DevOps lead at The Adaptavist Group. “There’s an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest — though there are also inevitable concerns around it falling into the hands of a single private entity.”
Businesses can prepare for an uncertain future by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart. “Organizations should lean more heavily on resources like CISA’s Known Exploited Vulnerabilities list, the NVD, and coordinate closely with software vendors. However, there is no true replacement for CVE.”
Businesses should “immediately diversify their threat intelligence sources and assess the resilience of their security tools,” says Shachar Menashe, VP of security Research at JFrog.
He advises IT professionals to monitor “alternative vulnerability flagging sources”, such as OSV or GitHub Advisories, or vendor-specific vulnerability trackers. If the CVE program was cut, firms should also prepare for potential disruptions in security tools reliant on standardised CVE data, he warns.
MITRE’s CVE program is safe for now, yet things could change in the future. Knowing this, the best thing to do is hold tight and use the resources available to you. The potential end to MITRE’s CVE program funding isn’t the end of the world, but it’s still a worrying move that potentially reduces security for everyone.