The non-profit MITRE Corporation says uncertainties around US government funding may lead to the disruption and “deterioration” of the Common Vulnerabilities and Exposures (CVE) program.
[UPDATE: MITRE CVE Program Gets Last-Hour Funding Reprieve]
In a letter to the CVE board, VP and Director at MITRE’s Center for Securing the Homeland Yosry Barsoum said the contract with the US government to manage the program will expire on April 16 and there’s no word on funding moving forward.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire. The government continues to make considerable efforts to continue MITRE’s role in support of the program,” Barsoum explained.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, slowed vendor reaction, limited response operations, and all manner of critical infrastructure,” he warned.
The CVE program, created to catalog publicly disclosed cybersecurity vulnerabilities, is a vital part of the vulnerability disclosure and documentation process and is widely used by hackers, vendors, and organizations to share accurate and consistent information about cybersecurity risks.
Maintained by MITRE Corporation, a not-for-profit organization that operates federal R&D centers, the CVE program is funded through multiple channels, including the U.S. government, industry partnerships, and international organizations.
Earlier this month, in anticipation of the US government funding cuts, MITRE initiated layoffs that affected more than 400 employees in its Virginia office. The cuts were ordered after the Trump administration announced more than $28 million in canceled contracts for the company.
The CVE program funding worries follows news that the National Institute of Standards and Technology (NIST) is still struggling to clear the growing backlog of CVEs in the official National Vulnerability Database (NVD).
According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
“We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.
The effects of the backlog are already being felt in vulnerability management circles where NVD data is presented as a source of truth with ongoing triaging and enrichment of data.
Without faster processing of vulnerability data, the gap between reported issues and actionable intelligence has widened and is causing major problems for organizations relying on timely information to protect their systems.
NIST has explained that the NVD’s current workflows and data ingestion systems were designed for lower CVE submission volumes and that outdated formats and manual enrichment procedures created significant bottlenecks.
Related: NIST Struggling to Clear Vuln Submissions Backlog in NVD
Related: MITRE Updates List of 25 Most Dangerous Software Vulnerabilities
Related: MITRE Announces AI Incident Sharing Project
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
