U.S. government is set to discontinue funding for MITRE’s Common Vulnerabilities and Exposures (CVE) program, effective April 16, 2025. Since 1999, this program has been responsible for giving security vulnerabilities unique identifiers, helping streamline and unify defensive actions across a wide range of sectors from intelligence agencies to private businesses.
The expiration of funding also impacts the Common Weakness Enumeration (CWE) program, which catalogs hardware and software weaknesses. The decision has raised concerns about potential disruptions in global cybersecurity coordination, as stakeholders may face challenges in tracking vulnerabilities consistently.
On April 15, 2025 Yosry Barsoum, MITRE’s Vice President and Director of the Center for Securing the Homeland, acknowledged the expiration of federal funding for the CVE program through a letter and its potential impact on the Common Weakness Enumeration (CWE) program. He emphasized MITRE’s commitment to the CVE program and its role as a global resource, highlighting the collaborative efforts of various stakeholders in its success. Barsoum also noted that the Department of Homeland Security continues to support MITRE’s role in the program, underscoring the importance of the CVE initiative in enhancing cybersecurity resilience. To better grasp the potential impact, it’s important to first understand what the CVE program is and the role MITRE has played in managing it.
What is the CVE Program?
CVE (Common Vulnerabilities and Exposures) is a standardized way to identify and name publicly known cybersecurity vulnerabilities.
Each vulnerability gets a unique CVE ID like: CVE-2025-24813
The idea is that all tools, databases, and reports refer to the same vulnerability using this ID – avoiding confusion.
What is NVD?
NVD stands for the National Vulnerability Database. It’s a U.S. government repository of standards-based vulnerability management data. Managed by NIST (National Institute of Standards and Technology), the NVD provides:
- A searchable database of publicly known security vulnerabilities.
- Detailed information including:
- CVE IDs (Common Vulnerabilities and Exposures)
- CVSS scores (severity ratings)
- Impact metrics
- References and links to advisories, patches, etc.
Basically, NVD enriches CVE data with extra analysis, severity scores, and other technical details to help organizations assess and manage cybersecurity risks.
What is MITRE?
MITRE is a non-profit organization that operates Federally Funded Research and Development Centers (FFRDCs) for the U.S. government. It works on a wide range of public interest projects, especially in cybersecurity, defence, and technology.
When it comes to cybersecurity…
MITRE is the original creator and steward of the CVE program.
How did MITRE help with CVE management?
MITRE ran and maintained the CVE Program for many years, and here’s what they did:
- CVE ID Assignment: MITRE acted as the CVE Numbering Authority (CNA) and also managed other CNAs worldwide. They reviewed vulnerability submissions and assigned official CVE IDs.
- Standardization: They maintained the structure and rules of how CVEs are created, described, and formatted.
- Public Disclosure Coordination: Helped coordinate responsible disclosure between researchers, vendors, and the public.
- Community Management: Maintained relationships with security researchers, vendors, and organizations participating in the CVE program.
- Data Sharing: Supplied CVE entries to NIST/NVD, who then enhanced them with technical details and risk scores.
MITRE helped NIST/NVD by managing the source data (the CVEs), while NVD added further analysis and context for public use.
Conclusion :
The expiration of federal funding for MITRE’s CVE Program puts a critical cybersecurity infrastructure at risk. Without continued support, the global ability to track and respond to vulnerabilities could be severely impacted. The future of the program now hinges on whether new support or alternative funding can be secured to maintain the integrity and continuity of global cyber defense operations. The consequences could include degraded threat monitoring, reduced visibility into vulnerabilities, and weakened infrastructure protection—not just in the U.S. but globally.
