Unprecedented development that could shake up one of the fundamental pillars of the global cybersecurity ecosystem will expire on Wednesday, ending the U.S. government funding for non-profit research giant MITRE to run and maintain its Common Vulnerabilities and Exposures ( ) program.
The 25-year-old CVE system provides a de facto standard for using CVE IDs to identify, determine, and library publicly known security flaws.
The Center for Securing the Homeland ( CSH), Yosry Barsoum, MITRE’s vice president and director, said its funding will “develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration ( ),” will expire.
In a letter sent to CVE Board Members, Barsoum wrote that “if a break in service were to happen, we anticipate many impacts to CVE, including the decay of national risk databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
Barsoum did point out that the government is still making” significant work” to support MITRE’s part in the system and that MITRE is still committed to CVE as a global resource.
The U.S. Department of Homeland Security ( DHS) and the Cybersecurity and Infrastructure Security Agency ( CISA ) both sponsored the CVE program, which was launched in September 1999.
Cybersecurity firm VulnCheck, a CVE Numbering Authority ( CNA ), has that it will actively reserve 1, 000 CVEs for 2025 to fill the void created by the move.
A company break “would possible harm national risk data and advisories,” according to Jason Soroko, Senior Fellow at Sectigo, in a statement shared with The Hacker News.
This fall may have a negative impact on application manufacturers, incident response operations, and critical infrastructure in general. MITRE emphasizes its ongoing commitment, but warns about the probable effects that could result from not maintaining the contracting path.
A lapse, according to Tim Peck, Senior Threat Researcher at Securonix, may have significant effects on the cybersecurity ecology, where CNAs and defenders may not be able to get or post CVEs, leading to delays in vulnerability disclosures.
Additionally, Peck argued that the Common Weakness Enumeration ( CWE ) project is crucial for prioritizing and identifying software weaknesses. Safe coding practices and risk evaluations may be affected by its end. The CVE plan serves as the foundation of the system. It’s not just great to have a “refereable list,” but it’s also a major resource for efforts to coordinate vulnerability, prioritize, and respond to it across the private sector, government, and open source.