Funding Crisis Averted for Critical Security Database
The U.S. government has temporarily reinstated funding for the CVE Program, a cornerstone of global cybersecurity infrastructure. The decision came just hours before the expiration of MITRE’s contract with the Department of Homeland Security on April 16, 2025. The Common Vulnerabilities and Exposures (CVE) system, which provides unique identifiers for publicly known security flaws, is widely used by governments, businesses, and cybersecurity professionals worldwide to manage vulnerabilities effectively.
Initially, concerns were raised when MITRE disclosed that its funding would lapse, sparking fears of disruption to essential cybersecurity services. MITRE Vice President Yosry Barsoum warned that a halt in operations could negatively impact vulnerability databases, security advisories, and incident response capabilities. Experts viewed the potential end of the 25-year-old program as a possible cost-cutting measure by the Trump administration.
However, in a late reversal, the Cybersecurity and Infrastructure Security Agency (CISA) extended MITRE’s contract by 11 months. “The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson confirmed. While the immediate crisis has been averted, the long-term future of the program remains uncertain.
Formation of the CVE Foundation to Ensure Program Stability
In response to growing concerns over the CVE Program’s reliance on a single government sponsor, a group of CVE Board members has established the CVE Foundation. The newly-formed non-profit aims to secure the long-term independence, neutrality, and stability of the CVE system. The foundation plans to take over responsibility for maintaining and developing the program, reducing its vulnerability to political and funding disruptions.
“The CVE Program is too important to be at risk,” said Kent Landfield, a founding officer of the Foundation. “Security professionals worldwide depend on CVE data for threat intelligence, patching systems, and preventing cyberattacks.” The foundation emphasized its goal of maintaining a community-driven, globally trusted vulnerability management system.
Since its inception in 1999, the CVE Program has been operated by MITRE under government contracts. While this structure has allowed the program to flourish, experts argue it also created a single point of failure. The new foundation is designed to mitigate that risk by decentralizing oversight and engaging a broader coalition of cybersecurity stakeholders.
Global Implications and What Organizations Should Do Next
Although the immediate threat to the CVE Program has been addressed, cybersecurity professionals are urging organizations to prepare for future uncertainties. Experts stress that while historical vulnerability data is safe, the identification and tracking of new vulnerabilities could face challenges if funding lapses again.
Security leaders are advising businesses to diversify their threat intelligence sources. Jamie Akhtar of CyberSmart suggests organizations rely more on alternatives like CISA’s Known Exploited Vulnerabilities list, the U.S. National Vulnerability Database (NVD), and vendor-specific advisories. Others recommend monitoring platforms like GitHub Advisories or the Open Source Vulnerabilities (OSV) database as additional sources of vulnerability intelligence.
The recent funding scare has also reignited calls for private sector involvement to help sustain the CVE Program. As Matt Saunders of Adaptavist Group put it, “There’s an opportunity for industry players, who benefit the most from CVE, to step up in the public interest.”
While the CVE Program is secure for now, the incident highlights the need for a resilient, multi-sourced cybersecurity infrastructure. The formation of the CVE Foundation marks a critical step in ensuring that global cyber defenses remain strong, independent, and future-proof.
