MITRE Funding by the U.S. Government to Stop Today, Security Teams Left Alarmed

• The U.S. Government funding for MITRE that maintains CVE database to stop today
• Existing listing of vulnerabilities will remain intact however new entries will not be added
• This action is speculated to impact national security and leave cybersecurity professionals without a critical vulnerability management resource

Update: Hours after the U.S. Government funding to MITRE expired yesterday, CISA announced that the funding will be continued. The CVE Board also launched the CVE Foundation for the larger good of maintaining cybersecurity.

----------

The non-profit organization MITRE, which maintains the Common Vulnerabilities and Exposures (CVE) glossary, will no longer be funded by the U.S. Government. 

The funding is expected to stop on Wednesday, leaving several cybersecurity professionals devoid of the valuable resource for vulnerability management and CVE data. 

The CVE Board Members received a letter from the VP and Director of MITRE Yosry Barsoum that read,”On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs such as CWE, will expire.”

The letter speculated about the impact of this action, including the deterioration of national vulnerability databases, advisories, incident response operations, and critical infrastructure. 

Reacting to this sudden news, several cybersecurity professionals expressed concern over its impact on national security.

Casey Ellis, Founder of Bugcrowd, stated, “Hopefully this situation gets resolved quickly. CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”

Jason Soroko, Senior Fellow at Sectigo, a provider of comprehensive certificate lifecycle management (CLM), shared, “Failure to renew MITRE's contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly.”

The complete impact of this action remains to be seen. In a statement, MITRE responded by assuring users that the existing CVE listing vulnerabilities will remain online, however, new CVEs may not be added after the funding expires. 

An update has been added to this story based on the latest findings related to the CVE program funding.