Rapid response · 1 MIN READ · JAMES SHANK · APR 16, 2025 · TAGS: in the media / vulnerability prioritization
TL;DR
- The contract for the federally funded Common Vulnerabilities and Exposures (CVE) program has been extended to avoid lapse in critical services
- Many government agencies and private sector companies rely on this program to identify, mitigate, and fix security vulnerabilities
- The immediate concerns are abated with the extension, but uncertainty remains about what comes next
Article last updated on April 17, 2025.
What happened?
On April 15, news broke that funding for the globally relied upon CVE program was set to expire on April 16, 2025. This critical resource is maintained by the non-profit research and development organization MITRE, and is traditionally federally funded by the Department of Homeland Security.
Hours before the deadline, CISA announced the US government had extended funding for the program for at least another 11 months to avoid any lapse in CVE services. This extension puts the fire out for now, but begs the question: what happens next?
Why does it matter?
The CVE database is the de-facto reference source for much of the world’s vulnerability tracking. It’s alarming to see that contracts may be expiring for these critical resources—interrupting services from MITRE may adversely impact service reliability and quality for many government agencies and private sector companies. This also introduces concerns because it isn’t clear where those organizations will turn for alternate authoritative sources.
What should you do right now?
With the execution of the option period, CISA has ensured the continued MITRE support for CVE for the immediate future. For now, no additional action is required.
What’s next?
We can expect the complexity of this issue to increase over time. There are already many alternative CVE classification systems, which adds to the intricacy of threat research and tracking—particularly as these systems aren’t federated.
As a response to awareness of this instability in the CVE ecosystem, at least two efforts have spun up in the private sector. Both The CVE Foundation (https://thecvefoundation.org)* and Global CVE Allocation System (https://gcve.eu/)* launched today with the goal of providing alternative solutions. We will keep an eye on these and other developments in this space and will update this post with big developments, including what ripple effects this might have within the taxonomy of CVEs worldwide.
