MITRE’s CVE Program Almost Loses Critical Funding Support, Secures Last-Minute Reprieve from CISA for 2025

The CVE system provides unique identifiers (CVE IDs) for publicly disclosed vulnerabilities, ensuring a common language for reporting and addressing security flaws. This standardization underpins countless cybersecurity tools, national vulnerability databases, and critical infrastructure protections, including those relied upon by Microsoft and other major technology vendors.

Looming Shutdown: Funding Crisis Hits CVE

On April 16, 2025, MITRE announced that its contract with the US Department of Homeland Security (DHS) to operate and modernize the CVE program was set to expire, with no immediate renewal in sight. An internal memo from MITRE’s Vice President Yosry Barsoum warned that a break in service would have severe consequences:

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”

The news sent shockwaves through the cybersecurity community. Experts highlighted that a lapse in CVE services would disrupt vulnerability tracking, slow down security advisories, and jeopardize incident response efforts across the globe. The potential shutdown risked fragmenting the vulnerability ecosystem, undermining trust, and leaving organizations exposed to emerging threats.

Community and Industry Response

The abrupt funding crisis prompted urgent calls for action from lawmakers, cybersecurity leaders, and industry groups. House Science Committee Ranking Member Zoe Lofgren and Homeland Security Ranking Member Bennie Thompson labeled the funding lapse “reckless and ignorant,” warning that it would undermine global cybersecurity.

Meanwhile, the CVE Board announced the formation of the CVE Foundation, a new nonprofit organization designed to ensure the program’s independence and sustainability. The foundation aims to eliminate the risk of a single point of failure and maintain the CVE program as a globally trusted, community-driven initiative.

Last-Minute Reprieve: CISA Steps In

In response to mounting concerns, the US Cybersecurity and Infrastructure Security Agency (CISA) executed an emergency extension of MITRE’s contract just hours before the funding was set to lapse. CISA emphasized the program’s critical importance (via Forbes):

“The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.”

This extension, however, is temporary—lasting just 11 months—leaving the long-term future of the CVE program uncertain. The situation has underscored the need for a more sustainable, multi-stakeholder approach to funding and governance.

What’s Next for the MITRE’s CVE Program?

While the immediate crisis has been averted, questions remain about the program’s long-term stability. The creation of the CVE Foundation signals a shift toward greater independence and global collaboration, but the transition will require careful planning and industry support.

For now, MITRE continues to operate the CVE program, and the cybersecurity community can rely on the continuity of vulnerability tracking and advisories. However, the episode serves as a stark reminder of the fragility of critical cybersecurity infrastructure and the need for resilient, community-driven solutions.

MITRE’s CVE program narrowly avoided a shutdown that could have rippled across the global cybersecurity landscape. While CISA’s last-minute funding extension ensures continuity for now, the future of vulnerability management depends on sustainable funding, transparent governance, and international cooperation. Organizations, vendors, and governments must remain vigilant and proactive to safeguard the world’s digital infrastructure.