On April 15, 2025, a leaked letter from Yosri Barsoum — Vice President and Director at MITRE — revealed that the U.S. government’s contract funding the CVE program would expire at midnight on April 16, 2025. This decision has prompted wide concern across the cybersecurity industry, with many organizations now seeking clarity on the impact of this disruption.

📌 Update – April 16, 2025

Good news, the CISA has officially extended its funding to MITRE and the CVE Program as of last night. This ensures continuity of services, at least for the time being, and helps avoid any immediate disruption to the vulnerability tracking ecosystem.

That said, details about the scope and duration of this funding remain limited. At OpenCVE, we continue to actively monitor the situation and remain committed to adapting our platform quickly if any changes arise in the weeks ahead.

What Are CVEs and Why Do They Matter?

CVE stands for Common Vulnerabilities and Exposures. Each CVE is a unique identifier assigned to a publicly known cybersecurity vulnerability. These identifiers enable a standardized way to reference and share information across the security ecosystem.

The CVE system is managed by MITRE, a U.S. government-funded nonprofit organization, in collaboration with many stakeholders, including vendors, researchers, and CERTs. CVEs are the backbone of most vulnerability detection and management systems — both proprietary and open source. Organizations rely on them to track, prioritize, and respond to security flaws in software and hardware.

What Just Happened?

A leaked letter dated April 15, 2025, from Yosri Barsoum to members of the CVE Board disclosed the following:

On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource.

According to a report by CSO Online, the funding for MITRE’s CVE program has not been renewed by the U.S. Department of Homeland Security (DHS), which has been the program’s primary sponsor for the past 25 years. The CVE program is administered through CISA (the Cybersecurity and Infrastructure Security Agency), which operates under the DHS.

The precise reasons behind the non-renewal remain unclear. However, it appears that the current U.S. government has been significantly reducing budgets across multiple federal programs, including those related to cybersecurity. This has led to uncertainty regarding the future of the CVE program and its operational continuity.

Will CVEs Still Be Issued?

In a LinkedIn post, security journalist Brian Krebs explained:

CVEs will still be issued to CNAs, or CVE Numbering Authorities, i.e. vendors, researchers, open source, CERT, hosted service, bug bounty provider, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE records within their own specific scopes of coverage. […] MITRE does have a more manual process for issuing CVEs to non-CNAs, and that may be impacted this week

Additionally, as highlighted by Patrick Garrity from VulnCheck in a LinkedIn post, the organization has proactively reserved 1,000 CVE IDs to help ensure continuity in vulnerability assignments.

And a spokesperson for CISA told CSO:

“Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”

As Brian Krebs noted on his blog, this isn’t the first time the CVE program has come close to a funding cliff. MITRE remains hopeful, and government agencies are reportedly working to continue its involvement.

How OpenCVE Is Responding

At OpenCVE, we’re monitoring the situation very closely. Like many others in the industry, our platform is built on top of the CVE ecosystem, and our goal is to ensure continuity of service regardless of what happens in the coming weeks.

We’d like to reassure our users that we are prepared to adapt quickly if needed. For example, when NVD stopped enriching CVEs last year, we integrated the Vulnrichment repository from CISA to maintain high-quality vulnerability data.

We will continue to take a proactive approach: adding new data sources, adjusting our enrichment pipeline, and communicating transparently with our users.

In the meantime, we encourage the community to stay informed and support the efforts of organizations like MITRE, CISA, and CNAs that help maintain the security infrastructure we all rely on.