Funding for the CVE program, which manages vulnerabilities, will expire on April 16, 2025

The Common Vulnerabilities and Exposures (CVE) Program is a program in which MITRE, a non-profit organization supported by the U.S. government, assigns identifiers to vulnerabilities in individual products. The U.S. Department of Homeland Security did not renew its funding agreement for the CVE Program, and it became clear that the program's budget would expire on April 16, 2025 local time.

MITER-backed cyber vulnerability program to lose funding Wednesday - Nextgov/FCW
https://www.nextgov.com/cybersecurity/2025/04/mitre-backed-cyber-vulnerability-program-lose-funding-wednesday/404585/

CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo | CSO Online
https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html

The CVE Program is an international framework for the centralized and standardized identification and management of known vulnerabilities in the field of cybersecurity, and was launched in 1999. The CVE Program is developed, operated, and maintained by the non-profit organization MITRE, and is used in a wide range of fields, from private companies to government agencies, national security, and critical infrastructure.

The core of the CVE program is to assign unique identification numbers to discovered vulnerabilities so that researchers, vendors, and public organizations can share information about the same vulnerabilities in a consistent manner. With the support of the CVE program, approximately 275,000 vulnerability information has been cataloged as of 2025, and the assigned vulnerability information is publicly available through the official website and GitHub.

However, an internal memo sent to the CVE Board dated April 15, 2025 was leaked to Bluesky. The memo stated, 'On Wednesday, April 16, 2025, MITRE's current contract to develop, operate, and modernize CVE and related programs such as CWE will expire. The government continues to make significant efforts to support MITRE's continued support of the program.'

BREAKING.From a reliable source. MITER support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.

[image or embed]

— Tib3rius ( @tib3rius.bsky.social ) April 16, 2025 2:23

Yosry Barsoum, director of the MITRE Center for Homeland Security, confirmed to technology news media Nextgov/FCW that funding for the CVE program and other programs run by the organization will end on April 16, 2025. According to Barsoum, MITRE relies on funding contracts from the U.S. government to fund the CVE program, and those contracts expire on April 16.

The background to this appears to be the large-scale budget cuts and contract restructuring at the Cybersecurity and Infrastructure Security Agency (CISA). It has been reported that several contracts have been terminated or left untouched within CISA, and Nextgov/FCW reports that it is highly likely that vulnerability management operations, including CVE, have been affected.

According to testimony from members of Congress, there have been calls for the downsizing of CISA itself, and it is believed that this is due to a policy that 'while maintaining its role in monitoring critical infrastructure, its budget and scope of work should be reduced,' which led to the termination of the contract. Some members of Congress have strongly opposed this, issuing a statement criticizing the move, saying, 'CVE is the foundation of global cybersecurity, and to terminate it is irresponsible and ignorant.'

Continued
CVE Foundation established to keep Common Vulnerabilities and Exposures (CVE) program afloat, launches immediately after US government funding ends - GIGAZINE