https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html 1. Topics 2. Spotlight: Solving Data Analytics Challenges 3. Events 4. Newsletters 5. Resources 6. Community About * About Us * Advertise * Contact Us * Foundry Careers * Reprints * Newsletters Policies * Terms of Service * Privacy Policy * Cookie Policy * Member Preferences * About AdChoices * E-commerce Links * Your California Privacy Rights Our Network * CIO * Computerworld * InfoWorld * Network World More * Awards * Blogs * BrandPosts * Events * Podcasts * Videos * Enterprise Buyer's Guides Close + Artificial Intelligence + Generative AI + Business Operations + Careers + Industry + IT Leadership + Compliance + Security + Application Security + Business Continuity + Cloud Security + Critical Infrastructure + Cybercrime + Identity and Access Management + IT Management + Network Security + Physical Security + Privacy + Risk Management + Security Infrastructure + Vulnerabilities + Analytics + Software Development + Enterprise Buyer's Guides Back Close Americas + United States Asia + ASEAN + India Europe + Deutschland (Germany) + United Kingdom Oceania + Australia Back Close Popular Topics + Search + US-EN + Topics + Spotlight: Solving Data Analytics Challenges + Events + Newsletters + Resources + Community + About + Policies + Our Network + More Back Topics + Artificial Intelligence + Generative AI + Business Operations + Careers + Industry + IT Leadership + Compliance + Security + Application Security + Business Continuity + Cloud Security + Critical Infrastructure + Cybercrime + Identity and Access Management + IT Management + Network Security + Physical Security + Privacy + Risk Management + Security Infrastructure + Vulnerabilities + Analytics + Software Development + Enterprise Buyer's Guides Back About + About Us + Advertise + Contact Us + Foundry Careers + Reprints + Newsletters Back Policies + Terms of Service + Privacy Policy + Cookie Policy + Member Preferences + About AdChoices + E-commerce Links + Your California Privacy Rights Back Our Network + CIO + Computerworld + InfoWorld + Network World Back More + Awards + Blogs + BrandPosts + Events + Podcasts + Videos + Enterprise Buyer's Guides 1. Home 2. Industry 3. CVE program averts swift end after CISA executes 11-month contract extension by Cynthia Brumfield Contributing Writer o o o o o o o Updated CVE program averts swift end after CISA executes 11-month contract extension News Analysis Apr 16, 20256 mins GovernmentThreat and Vulnerability Management o o o o o o o 1. 2. 3. 4. 5. 6. 7. After DHS did not renew its funding contract for reasons unspecified, MITRE's 25-year-old Common Vulnerabilities and Exposures (CVE) program was slated for an abrupt shutdown on April 16, which would have left security flaw tracking in limbo. CISA stepped in to provide a bridge. Homeland Security sign in Washington, D.C. Credit: Jerome460 / Shutterstock Important update April 16, 2025: Since this story was first published, CISA signed a contract extension that averts a shutdown of the MITRE CVE program. A CISA spokesperson sent CSO a statement saying, "The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience." Sources say the contract extension will last 11 months. April 15, 2025: In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16. Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, wrote in a missive to the CVE board, "On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE(r)) Program and related programs, such as the Common Weakness Enumeration (CWE(tm)) Program, will expire. The government continues to make considerable efforts to support MITRE's role in the program, and MITRE remains committed to CVE as a global resource." End of CVE program seen as 'tragic' Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as "tragic," a sentiment echoed by many cybersecurity and CVE experts reached for comment. "CVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based," Romanosky said. "Without it, we can't track newly discovered vulnerabilities. We can't score their severity or predict their exploitation. And we certainly wouldn't be able to make the best decisions regarding patching them." Ben Edwards, principal research scientist at Bitsight, told CSO, "My reaction is sadness and disappointment. This is a valuable resource that should absolutely be funded, and not renewing the contract is a mistake." He added "I am hopeful any interruption is brief and that if the contract fails to be renewed, other stakeholders within the ecosystem can pick up where MITRE left off. The federated framework and openness of the system make this possible, but it'll be a rocky road if operations do need to shift to another entity." MITRE's CVE program foundational to cybersecurity MITRE's CVE program is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders' vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response. Although the National Institute of Standards and Technology (NIST) enriches the MITRE CVE records with additional information through its National Vulnerability Database (NVD), and CISA has helped enrich MITRE's CVE records with its "vulnrichment" program due to funding shortfalls in the NVD program, MITRE is the originator of the CVE records and serves at the primary source for identifying security flaws. "If MITRE's funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale," Brian Martin, vulnerability historian, CSO of the Security Errata project, and former CVE board member, wrote on LinkedIn. "First, the federated model and CVE Numbering Authorities (CNA) can no longer assign IDs and send info to MITRE for quick publication. Second, all of that is the foundation for the National Vulnerability Database (NVD), which is already beyond struggling, with a backlog of over 30,000 vulnerabilities and the recent announcement of over 80,000 'deferred' (meaning will not be fully analyzed by their current standards)." Martin added, "Third, every company that maintains 'their own vulnerability database' that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China's and Russia's, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National / Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program." Why is the contract ending? It's unclear what led to DHS's decision to end the contract after 25 years of funding the highly regarded program. The Trump administration, primarily through Elon Musk's Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program. Although CISA has already been through two funding cuts, press reports suggest that nearly 40% of the agency's staff, or around 1,300 employees, are still slated for termination. However, sources say that compared to the budget cuts made elsewhere in the federal government, the expense of running the CVE program are minor and "won't break the bank." What happens next? Sources close to the CVE program say that starting at midnight on April 16, MITRE will no longer add records to its CVE database. However, historical CVE records will be available on GitHub. The real question is whether a private sector alternative to MITRE's program emerges. "It's difficult to speculate on what services could be impacted reading the note from MITRE," Patrick Garrity, a security researcher at threat intelligence firm Vulncheck, told CSO. "The current vulnerability ecosystem is fragile after seeing NIST NVD's failure last year, and any impacts to the CVE Program could have detrimental impacts on defenders and the security community. VulnCheck remains committed to helping fill any gaps that might arise." Garrity posted on LinkedIn, "Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025," adding that Vulncheck "will continue to provide CVE assignments to the community in the days and weeks ahead." A CISA spokesperson told CSO, "CISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation's critical infrastructure at risk. Although CISA's contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely." This article was originally published April 15, titled "CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo." It has been updated to reflect the latest announcements about CVE. Related content News New ResolverRAT malware targets healthcare and pharma orgs worldwide By Lucian Constantin Apr 15, 2025 4 mins Healthcare Industry Malware Phishing News April Patch Tuesday news: Windows zero day being exploited, 'big vulnerability' in 2 SAP apps By Howard Solomon Apr 8, 2025 8 mins Threat and Vulnerability Management Vulnerabilities Windows Security News Cyber agencies urge organizations to collaborate to stop fast flux DNS attacks By Howard Solomon Apr 4, 2025 4 mins Network Security Threat and Vulnerability Management Other Sections o PODCASTS o VIDEOS o RESOURCES o EVENTS o SPOTLIGHT: SOLVING DATA ANALYTICS CHALLENGES SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. [ ] Please enter a valid email address Subscribe by Cynthia Brumfield Contributing Writer Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. She runs a cybersecurity news destination site, Metacurity.com, consults with companies through her firm DCT-Associates, and is the author of the book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework. More from this author o news analysis Trump revokes security clearances for Chris Krebs, SentinelOne in problematic precedent for security vendors Apr 10, 2025 7 mins o news analysis How Trump's tariffs are shaking up the cybersecurity sector Apr 7, 2025 6 mins o news Trump fires NSA and Cybercom chief, jeopardizing cyber intel Apr 4, 2025 4 mins o news analysis Trump shifts cyberattack readiness to state and local governments in wake of info-sharing cuts Mar 24, 2025 8 mins o feature That breach cost HOW MUCH? How CISOs can talk effectively about a cyber incident's toll Mar 19, 2025 8 mins o news White House exempts cyber pros from mass layoffs; Judge reinstates CISA firings Mar 17, 2025 4 mins o news Trump nominates cyber vet Sean Plankey for CISA chief amid DOGE cuts and firings Mar 12, 2025 5 mins o feature Security operations centers are fundamental to cybersecurity -- here's how to build one Mar 11, 2025 10 mins Show me more PopularArticlesPodcastsVideos news analysis CVE program averts swift end after CISA executes 11-month contract extension By Cynthia Brumfield Apr 16, 20256 mins GovernmentThreat and Vulnerability Management Image news Cato Networks augments CASB with genAI security By Denise Dubie Apr 16, 20251 min Cloud Security Image feature CISOs rethink hiring to emphasize skills over degrees and experience By Mary K. Pratt Apr 16, 20258 mins HiringIT SkillsIT Training Image podcast CSO Executive Sessions: How AI and LLMs are affecting security in the financial services industry Mar 20, 202513 mins CSO and CISOFinancial Services IndustrySecurity Operations Center Image podcast CSO Executive Sessions: How cybersecurity impacts company ratings - A fey factor for investors and consumers Feb 12, 202527 mins Security Image podcast CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe Aug 7, 202417 mins CSO and CISO Image video Standard Chartered's Alvaro Garrido on AI threats and what CIOs/CISOs must know in their AI journey Apr 10, 202514 mins CIOCSO and CISOFinancial Services Industry Image video CSO Executive Sessions: How AI and LLMs are affecting security in the financial services industry Mar 20, 202513 mins CSO and CISOFinancial Services IndustrySecurity Operations Center Image video CSO Executive Sessions: How cybersecurity impacts company ratings - A fey factor for investors and consumers Feb 12, 202527 mins Security Image Sponsored Links o Secure AI by Design: Unleash the power of AI and keep applications, usage and data secure. About o About Us o Advertise o Contact Us o Foundry Careers o Reprints o Newsletters o BrandPosts Policies o Terms of Service o Privacy Policy o Cookie Policy o Copyright Notice o Member Preferences o About AdChoices o E-commerce Links o Your California Privacy Rights o Privacy Settings Our Network o CIO o Computerworld o Infoworld o Network World o Facebook o X o YouTube o Google News o LinkedIn Copyright (c) 2025 IDG Communications, Inc.