CVE, global source of cybersecurity info, was hours from being cut by DHS

The Common Vulnerability and Exposures, or CVE, repository holds the answers to some of information security's most vital questions. Namely, which security issue are we talking about, exactly, and how does it work? The 25-year-old CVE program, an essential part of global cybersecurity, is cited in nearly any discussion or response to a computer security issue, including Ars posts. CVE was at real risk of closure after its contract was set to expire on April 16. The nonprofit MITRE runs CVE and related programs (like Common Weakness Enumeration, or CWE) on a contract with the US Department of Homeland Security (DHS). A letter to CVE board members sent Tuesday by Yosry Barsoum, vice president of MITRE, gave notice of the potential halt to operations. "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum wrote. Late Tuesday, the Cybersecurity & Infrastructure Security Agency (CISA) "executed the option period on the contract" to ensure a continuation of services, CISA told security site BleepingComputer. "We appreciate our partners' and stakeholders' patience," a CISA spokesperson was quoted as saying. Nextgov reports that CISA's extension is for 11 months. News reports have cited midnight on either April 15 or 16 as the potential time when CVE funding would expire. The potential loss of crucial infrastructure for global cybersecurity led some CVE board members to launch the CVE Foundation, a nonprofit pledged to ensure a more secure future for the CVE program than the US government can provide at the moment. "While we had hoped this day would not come, we have been preparing for this possibility," the group's press release said. "CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” Kent Landfield, an officer of the foundation, said in the release.

CVE funder DHS under fire

The second Trump administration moved quickly to target DHS and CISA for deep cuts and reorganizations, including CISA's Cyber Safety Review Board. The most recent contract for MITRE to maintain CVE involves a potential payout of about $40 million, launched on April 26, 2024, and potentially expiring on April 25 of this year. Homeland Security Secretary Kristi Noem has sought cuts at the agency, which GOP lawmakers have targeted for allegedly censoring conservative viewpoints by seeking to remove election disinformation. Trump previously fired Chris Krebs, head of CISA, who disputed Trump's claims of election fraud in 2020. CISA was created in 2018 during Trump's first presidential term. CVE operates as a clearinghouse for vulnerabilities, assigned and numbered by more than 450 CVE Numbering Authorities (CNAs) from 40 countries. The CNAs include the majority of large tech players, including Amazon, Google, Apple, and Meta, along with groups like the Apache Software Foundation, GitHub, Mozilla, and others. By numbering CVEs—starting with "CVE" and the year, like the CVE-2025-24201 that recently affected iOS devices—and using standardized descriptions of severity, affected products, and solutions, security professionals, researchers, journalists, and others can better understand and fix vulnerabilities. “If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale,” Brian Martin, CSO of the Security Errata project and former CVE board member, wrote on LinkedIn on Tuesday. Martin described a world without common CVE data as creating clashing and incomplete national and corporate vulnerability databases, along with more vulnerabilities at organizations relying on CVEs for awareness.