After 25 years, MITRE’s Common Vulnerabilities and Exposures (CVE) program will officially end on April 16, 2025, due to the Department of Homeland Security (DHS) not renewing its funding contract. This abrupt decision halts a critical cybersecurity resource used globally for tracking and identifying software vulnerabilities. Although the exact reasons behind the non-renewal remain unclear, MITRE emphasized its continued commitment to the CVE program, even without funding.
Cybersecurity professionals have responded to the news with dismay and concern. Sasha Romanosky from the Rand Corporation labeled the end of the CVE program as “tragic,” stressing that the system is vital for naming, scoring, and responding to vulnerabilities. Similarly, Ben Edwards of Bitsight expressed disappointment and emphasized the importance of continued support. He remained hopeful that other ecosystem players could step in, although he acknowledged the challenges of such a transition.
Loss of MITRE Oversight Threatens Global Vulnerability Tracking and Cybersecurity Coordination Systems
MITRE’s CVE program has long been a foundational pillar of global cybersecurity. It serves as the primary mechanism for identifying and cataloging vulnerabilities, providing crucial data used by products and systems worldwide. The program has played a central role in guiding vulnerability management for government and private sector defenders alike, feeding into resources like NIST’s National Vulnerability Database (NVD) and CISA’s enrichment efforts.
MITRE’s CVE Program Ends After 25 Years, Sparking Global Cybersecurity Concerns and Industry ResponseExperts warn that the end of MITRE’s involvement will trigger far-reaching consequences. Without MITRE’s oversight, the CVE Numbering Authorities (CNAs) can no longer submit new records efficiently, and already strained systems like NVD will fall further behind. Brian Martin, a former CVE board member, warned that global vulnerability intelligence—used by governments, corporations, and CERTs—will be disrupted, undermining coordinated cybersecurity efforts worldwide.
Budget Cuts Jeopardize CVE Program, Prompt Private Sector to Fill Critical Security Gap
The termination appears tied to broader government spending cuts under the Trump administration, particularly through initiatives aimed at reducing costs in agencies like the Cybersecurity and Infrastructure Security Agency (CISA). Although CISA’s budget has already been slashed significantly, many insiders argue that the cost of running the CVE program is relatively low and not a major financial burden, making its shutdown puzzling and concerning.
As of April 16, MITRE will stop publishing new CVE entries, though historical data will remain available on GitHub. Private firms like VulnCheck are beginning to step up, with VulnCheck reserving 1,000 CVEs for 2025 and pledging ongoing support. Meanwhile, CISA insists it is working urgently to maintain continuity. Still, the cybersecurity community is bracing for disruptions and uncertainty as it faces a fragile and potentially fragmented future in vulnerability tracking.
