In a development that has sent ripples through the cybersecurity community, the funding for the Common Vulnerabilities and Exposures (CVE) program, managed by MITRE, is set to expire on April 16, 2025. This program has been a cornerstone in the identification and tracking of publicly disclosed cybersecurity vulnerabilities since its inception in 1999.

The CVE program assigns unique identifiers to cybersecurity threats, enabling organizations worldwide to manage and mitigate risks effectively. Major technology companies, including Microsoft, Google, Apple, Intel, and AMD, rely on this system to prioritize security patches and coordinate responses to vulnerabilities. The expiration of MITRE's contract with the U.S. government, which has historically funded the CVE program, threatens to disrupt this critical infrastructure.

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, acknowledged the situation, stating, "On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource."

The potential discontinuation of the CVE program has sparked concern among cybersecurity experts. Lukasz Olejnik, a security and privacy researcher, warned that the absence of CVE could cripple the global cybersecurity system. He emphasized that without a centralized system, coordination between vendors, analysts, and defense systems would break down, severely weakening global cybersecurity.​

In a LinkedIn post that quickly gained traction, renowned cybersecurity journalist Brian Krebs confirmed the unsettling news, writing:

“MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub.”

Krebs, who has built a reputation for breaking major cybersecurity news, emphasized just how pivotal the CVE program has been, not just for enterprises and security vendors, but for governments, researchers, and hobbyists alike. He also shared a link to the official Department of Homeland Security contract, which has historically been renewed annually around April 16–17 — until now.

Industry Response So far, public reactions from major software vendors have been limited, but that silence likely masks behind-the-scenes conversations. A few independent security experts have already floated proposals for a community-driven CVE alternative or the possibility of an international cybersecurity consortium taking over the CVE database. However, building trust, governance, and infrastructure around such a system would take significant time and investment.

As Brian Krebs aptly summarized:

“There isn’t really anyone else left who does this, and it’s typically been work that is paid for and supported by the U.S. government — which is a major consumer of this information, by the way.”

Could the Private Sector Step In? Some have speculated that large security companies might attempt to step in, seeing a strategic opportunity to control one of the most essential resources in modern cybersecurity. But there are risks to privatizing CVE:

• Would access to vulnerability data remain free and open to all?

• Could private ownership introduce conflicts of interest, where some disclosures might be delayed or suppressed for commercial reasons?

• Would smaller vendors, NGOs, journalists, and independent researchers still have a voice in the system?

The very success of CVE has hinged on its neutrality, openness, and accountability. Rebuilding that under corporate control would be an uphill battle.

Potential for a Disjointed Future

Without MITRE’s centralized CVE system, here’s what a fragmented vulnerability landscape might look like:

• Multiple competing vulnerability databases, each with their own numbering and metadata systems, leading to inconsistencies.

• Delayed or incomplete vulnerability disclosures, with no trusted, neutral authority to mediate.

• Increased risk of duplicate efforts (or oversights) in patching and scanning workflows.

• Exploit developers and bad actors leveraging confusion and delays in defensive coordination.

• Patch gaps widening for smaller organizations, open-source projects, and infrastructure operators who lack resources for proprietary tools.

Cybercrime groups, who already move fast and ruthlessly exploit zero-day vulnerabilities, could capitalize on delays in coordinated disclosure and patching caused by a fractured system.