MITRE’s CVE program faces funding expiry, raising cybersecurity concerns

A cornerstone of the global cybersecurity ecosystem is facing an uncertain future. US government funding for MITRE Corporation to operate and maintain the Common Vulnerabilities and Exposures (CVE) program is set to expire, an unprecedented development that could significantly disrupt how security flaws are identified, tracked, and mitigated worldwide.

Launched in 1999, the CVE program has become the de facto international standard for cataloging publicly known software vulnerabilities. Managed by MITRE under sponsorship from the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), the program has published over 274,000 CVE records to date.

MITRE has warned that the lapse in funding will not only halt its ability to continue developing and modernizing the CVE system but could also impact related initiatives such as the Common Weakness Enumeration (CWE). These tools are essential for vulnerability classification, secure coding practices, and prioritisation of cybersecurity risks.

While Barsoum noted that the US government is working to find a resolution, the looming gap has already prompted independent action. Cybersecurity firm VulnCheck, which acts as a CVE Numbering Authority (CNA), has preemptively reserved 1,000 CVEs for 2025 in an effort to maintain continuity.

Industry experts warn the consequences could be far-reaching. Despite the challenges, MITRE has affirmed its commitment to the CVE program and its role as a global resource. However, unless a new funding arrangement is secured, the future of this foundational infrastructure remains in question.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!