One of the key players in cybersecurity, the Common Vulnerabilities and Exposures (CVE) system run by the U.S. nonprofit Mitre, is facing a serious challenge. The contract that allows Mitre to manage this essential project for the U.S. government is set to expire on Wednesday, April 16, with no new agreement in place.
In a letter to Mitre board members, Yosry Barsoum, who leads the Centre for Securing Homeland (CSH) at Mitre, explained that the U.S. government is working hard to keep Mitre involved in the CVE program. He warned that if there’s a gap in service, it could harm national vulnerability databases, advisory services, and incident response efforts, ultimately affecting critical infrastructure.
Barsoum expressed Mitre’s commitment to the CVE as a global resource and thanked the board for their ongoing support. A spokesperson for Mitre confirmed this update, noting that the CVE program is a cornerstone of the cybersecurity landscape, supporting an industry worth around $40 billion.
Launched in the late 1990s, the CVE system has become a vital reference for disclosed cybersecurity vulnerabilities and has been funded by the National Cyber Security Division of the Department of Homeland Security. It has shaped security research tremendously, providing key data on emerging threats, including major events like WannaCry and SolarWinds.
Many recognize CVEs by their unique identifiers that start with “CVE” followed by the year and a number. These CVEs are released monthly by Microsoft during its Patch Tuesday updates. If Mitre were to stop operations, even for a short time, the effects would ripple across the tech industry. The rate of newly discovered vulnerabilities is at an all-time high and isn’t slowing down.
A disruption in the CVE system could empower both cyber criminals and state-sponsored actors, who might exploit any downtime. Security professionals would be left scrambling without crucial information. As the U.S. grapples with significant funding cuts, the implications for national security, especially concerning threats from countries like China and Russia, are concerning to many in the security field.
On social media, some observers raised alarms about the potential motive behind the contract lapse, suggesting it fits a pattern of undermining key security institutions during a time of heightened cyber threats.
In response to the potential shutdown, many in the cybersecurity community are stepping up. Patrick Garrity from VulnCheck expressed gratitude for Mitre’s longstanding contributions to the CVE program. To ensure continuity, VulnCheck has already reserved 1,000 CVEs for 2025 and will keep issuing CVE numbers as long as possible. He reassured that they’re closely monitoring the situation to provide accurate vulnerability data to both the community and their clients.
Mitre also confirmed that historical CVE records will remain accessible on GitHub.
