MITRE’s CVE program is the closest thing that cybersecurity has to “critical infrastructure”—its standardized system for identifying and cataloging publicly disclosed cybersecurity vulnerabilities, and related services like CWE, underpin an entire ecosystem of services, workflows and tools.

And today was very nearly its last day.

On April 15, several people “in the know” shared a letter from Yosry Barsoum, MITRE’s Director – Center for Securing the Homeland, to CVE board members about the dire consequences of its “contracting pathway” coming to an end the following day.

The letter read:

Dear CVE Board Member,

We want to make you aware of an important potential issue with MITRES’s enduring support to CVE.

On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other programs, such as CWE*, will expire. The government continues to make considerable efforts to continue MITRE’s role in support of the program.

If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.

MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership.

The CVE program allows organizations worldwide to communicate about threats effectively. Unique CVE identifiers are assigned to each vulnerability and published by authorized CVE Numbering Authorities (CNAs). There are hundreds of these CNAs, which can be tied to countries, individual software vendors, or vulnerability disclosure platforms. The unique identifiers allow the security community to manage and mitigate software vulnerabilities and ensure we all know which vulnerabilities we are referring to.

Organizations rely heavily on the CVE system to identify, prioritize, and patch security flaws. Without a centralized, authoritative source for new CVEs, there could be fragmentation and confusion, leading to delays in vulnerability response and remediation efforts—opening the door for threat actors. MITRE has been the steward and maintainer of the CVE program since its inception in 1999.

Former CISA director, Jen Easterly, described the CVE system as “one of the most important pillars” in cybersecurity, saying “Losing it would be like tearing out the card catalog from every library at once – leaving defenders to sort through chaos while attackers take full advantage.”

The funding issues mentioned in the letter stem from the government’s decision not to renew MITRE’s contract, which is primarily supported by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA). A CISA spokesperson told ITPro:

Although CISA’s contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.

In response to CVE’s impending lack of funding, “a coalition of longtime, active CVE Board members” launched the CVE Foundation today, to “ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.”

Just a few hours later, CISA confirmed that it would fund the CVE program for another 11 months, saying:

The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.

With its immediate future secured, the question now is whether CISA or the CVE Foundation will be the long term custodians of the CVE program.