Cybersecurity Concerns Emerge Amid Funding Cuts to CVE Program

Recent alarms have highlighted a significant risk to global cybersecurity following the imminent disruption or potential shutdown of the Common Vulnerabilities and Exposures (CVE) program. Proposed remedies include the establishment of a standalone foundation, though specifics regarding its funding and operations remain uncertain. This development comes on the heels of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announcing a last-minute extension to the program’s contract just hours before funding was set to expire. A CISA spokesperson emphasized the program’s critical importance to the cyber community, affirming that measures were taken to prevent service interruption.

On the previous day, Mitre, the federal contractor overseeing the CVE initiative, issued an urgent warning to CVE board members regarding the renewal of their contracting pathway, which was due to lapse. A letter signed by Mitre’s vice president conveyed the potential consequences of a service interruption, predicting significant adverse effects on national vulnerability databases, incident response operations, and critical infrastructure.

Jen Easterly, former head of CISA, has underscored the severity of the situation, linking it not only to technical concerns but also to broader implications for business risk and national security. She noted that if the information-sharing framework were disrupted, businesses could face increased security and compliance costs, heightened risks of data breaches, ransomware attacks, and other significant security incidents.

In response to this crisis, a coalition of longtime CVE board members announced the creation of a non-profit CVE Foundation, having prepared for such contingencies over the past year. However, the means of funding this new foundation remain unclear, which could present challenges moving forward. It has been indicated that additional information about its structure and community involvement will be forthcoming.

The decision to cut funding appears to be influenced by a federal cost-cutting initiative spearheaded by Elon Musk’s Department of Government Efficiency. For decades, Mitre has facilitated public-private partnerships, conducting critical research and development activities in collaboration with government entities, including the CVE Program, which has played a pivotal role in classifying and cataloging cybersecurity vulnerabilities since its inception in 1999.

As cybersecurity professionals know, CVEs serve as integral components of national incident response efforts and assist organizations in managing vulnerabilities effectively. Tim Peck, a senior threat researcher at Securonix, characterized the CVE program as foundational infrastructure essential for coordinating vulnerability management across numerous sectors.

Despite its crucial role, the CVE program has faced criticisms, particularly regarding delays in the assignment of CVEs due to increased vulnerability reporting from various sources. Recent statistics from security research indicate a substantial rise in CVE publications, leading to stretched resources and potential backlogs in response.

The establishment of the CVE Foundation may also catalyze efforts to continue the Common Weakness Enumeration project that Mitre has managed. Experts have stressed that any disruptions in this classification system could hinder secure coding practices and complicate risk assessments in software development.

As developments unfold, the speed at which the CVE Foundation becomes operational and its ability to unify support from the wider cybersecurity community remains to be seen, with industry leaders emphasizing the potential national security ramifications of any service interruption.

In the interim, VulnCheck, a vulnerability intelligence firm, has pledged to issue CVE assignments during this transitional phase and has already pre-allocated a significant number for 2025. This proactive stance highlights the collaborative efforts needed to sustain cybersecurity resilience in a challenging landscape.

*Update April 16, 2025: This story has been updated with details regarding CISA’s temporary measures to maintain contract continuity for the CVE program managed by Mitre.*