Cybersecurity at risk: CVE Program for tracking security flaws faces federal funding cut

The cybersecurity world is bracing for potential disruption as MITRE’s Common Vulnerabilities and Exposures (CVE) program faces an uncertain future. The program, which has been a cornerstone of global cybersecurity for over two decades, may go dark on April 16 due to the expiration of its US Department of Homeland Security (DHS) contract.
The CVE program plays a critical role in cybersecurity by assigning standardised identifiers to software vulnerabilities, enabling security researchers, vendors, and IT teams to track and address threats efficiently. It is closely linked to the Common Weakness Enumeration (CWE) program, which categorises coding errors that lead to vulnerabilities. Together, these programs form the backbone of global security coordination, supporting tools like vulnerability scanners, patch management systems, and threat intelligence feeds.
MITRE has confirmed that its DHS contract expires on April 16, and no renewal has been finalized. Without funding, the CVE program could halt updates, leading to gaps in vulnerability tracking and delays in security advisories. Experts warn that this lapse could degrade national vulnerability databases, affecting tool vendors, incident response operations, and critical infrastructure.
Jason Soroko, Senior Fellow at Sectigo, emphasised the severity of the situation: "Failure to renew MITRE's contract risks significant disruption. A service break would negatively impact cybersecurity coordination worldwide."
Cybersecurity professionals are urging policymakers to secure funding for the CVE program to prevent a crisis. The potential shutdown has raised concerns about government reliance on private entities for critical security functions and the need for alternative solutions to maintain vulnerability tracking.