Introduction
In April 2025 [1], the US Cybersecurity and Infrastructure Security Agency (CISA) announced the impending expiration of its contract with MITRE Corporation [1], which has managed the Common Vulnerabilities and Exposures (CVE) Program for nearly 25 years. This program, sponsored by the US Department of Homeland Security (DHS) [2], has been essential to global cybersecurity [2], having assigned over 220,000 vulnerabilities and facilitating communication and patching efforts across various sectors [2]. The announcement raised significant concerns within the cybersecurity community due to the critical role CVE plays in vulnerability coordination [1]. Just before the contract was set to expire on April 16 [1], CISA extended MITRE’s contract for 11 months [1], averting an immediate shutdown but underscoring the reliance on a single government-funded entity for a vital security infrastructure component [1].
However, on May 29, 2025 [2], MITRE announced a temporary pause in new CVE assignments due to a critical shortfall in federal funding [2]. This pause disrupts vulnerability management [2], affects vendor security advisories [2], and impacts tools that rely on CVE IDs for updates [2], raising alarms about the sustainability of vulnerability disclosure and the need for investment in robust systems for future cyber defense [2]. In response to the situation [1], the CVE board established the CVE Foundation [1], a nonprofit aimed at ensuring long-term sustainability and independence for the CVE program [1]. This initiative is crucial as the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has been experiencing significant backlogs [1], with over 20,000 CVEs awaiting analysis and only a fraction of newly published vulnerabilities receiving necessary contextual data [1]. The backlog hampers organizations’ ability to prioritize risks effectively [1].
The volume of reported vulnerabilities is increasing rapidly [1], with over 33,000 CVEs published in 2024 [1], marking a 27% year-over-year increase [1]. This growth outpaces the adoption of open-source packages [1], indicating a widening gap in vulnerability management systems [1]. Alternative tracking systems [1], such as GitHub Security Advisories and others [1], lack comprehensive coverage [1], leading to potential blind spots for developers [1].
Organizational practices have not kept pace with the increasing risk exposure [1]. Many organizations continue to allow developers to fetch packages directly from the internet [1], increasing vulnerability to supply chain attacks [1]. Despite the adoption of multiple security tools [1], essential best practices [1], such as binary-level scanning [1], are often neglected [1].
The near-loss of MITRE’s stewardship of the CVE program serves as a critical reminder of the need for a decentralized and resilient vulnerability intelligence infrastructure [1]. As software development accelerates [1], particularly with AI-generated code [1], vulnerability management strategies must evolve to address structural weaknesses in current models [1]. Supporting nonprofit initiatives like the CVE Foundation and enhancing collaboration across ecosystems are essential steps toward improving the overall security landscape [1].
Conclusion
The potential disruption of the CVE Program highlights the fragility of current cybersecurity infrastructures and the urgent need for diversification and resilience. The establishment of the CVE Foundation is a proactive step towards ensuring the program’s sustainability and independence. As the volume of vulnerabilities continues to rise, it is imperative for organizations to adopt comprehensive vulnerability management practices and for the industry to support initiatives that promote collaboration and innovation in cybersecurity. The future of cyber defense depends on our ability to adapt to evolving threats and to build robust systems that can withstand the challenges ahead.
References
[1] https://www.cybersecurityintelligence.com/blog/the-cve-programs-close-call-8470.html
[2] https://www.provisiontech.in/blog/the-end-of-an-era-cve-program-faces-uncertain-future-amid-funding-crisis/
