MITRE Issues Warning: CVE Program Funding Runs Out Today
Sure! Here’s a reworded version of that passage with a slightly polished and clear tone:
MITRE Vice President Yosry Barsoum has issued a warning that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs is set to expire today—an event that could significantly disrupt the global cybersecurity landscape.
Of the two, CVE is particularly critical. Maintained by MITRE with support from the U.S. Department of Homeland Security’s National Cyber Security Division, the CVE program plays a vital role in ensuring consistency, clarity, and standardized communication around security vulnerabilities.
Hundreds of organizations around the world — known as CVE Numbering Authorities (CNAs) — are authorized by MITRE to assign official CVE identifiers to newly discovered software flaws. These CNAs range from government agencies and national cybersecurity teams to private software vendors and bug bounty platforms.
At the heart of this system is MITRE, a cornerstone of global cybersecurity infrastructure. Its role in centralizing and standardizing vulnerability data makes it an essential feed for countless security tools and services, helping defenders identify and fix weaknesses before attackers can exploit them.
In a letter sent today to the CVE board, MITRE Vice President Yosry Barsoum warned that on April 16, 2025, “the current contracting pathway for MITRE to develop, operate and modernize CVE and several other related programs will expire.”
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum wrote – see full letter below.
The program is funded by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which is currently contending with significant budget and personnel reductions under the Trump administration.
Without the CVE program, corporate risk managers would be forced to track multiple disparate sources for information on emerging vulnerabilities that could threaten their IT systems. The result? A higher likelihood of misjudging the urgency of software updates — potentially leaving exploitable flaws unpatched for longer periods.
Blogger at www.systemtek.co.uk