The last few days in the cyber security world have been very unnerving. Not because of a new exposure, not because of a ransomware attack, not even because a latest slew of PII have been splattered over the dark web. No, this time a threat to the way that every vulnerability is tracked worldwide.
Anyone who has held a role in operational IT, SecOps, Risk and Compliance, or Cyber will be well aware of one of the most widely used 3-letter acronym, CVE.
To those unaware, CVE stands for Common Vulnerabilities and Exposures and to put it in really simple terms it’s given the world a way to track known Information Security vulnerabilities and exposures of those vulnerabilities.
This article isn’t meant to describe how to use the CVE database, the fields it provides or which vendors and products make use of it. This is to hopefully give a short blast into the developments of the last few days (April 2025).
Who is involved?
The CVE system has been running for over 25 years, since September 1999 and is publicly available here. It has over 450 partners, who are typically utilising the database to provide their users a consistent way to track worldwide security threats, but also contributing to the database (as can the general public).
From its inception it has been funded by the MITRE Corporate and the US National Cybersecurity FFRDC. To many readers of this article this wouldn’t raise even an eyebrow – why would it?
MITRE are a not-for-profit organisation managing federal funded research but are very commonly known in the cybersecurity arena for the MITRE ATT&CK framework, launched in 2015. This framework, again put simply, gives a publicly accessible set of models, techniques and knowledge base of threat activity. It’s been used by the FBI, the NCSC and I would argue a good percentage of Cyber Security vendors and consultancies.
Who are the US National Cybersecurity FFRDC? They are an arm of MITRE, commonly known as NCF. Their job is to encourage the adoption of secure technologies, encourage innovation and to provide practical guidance.
So what is the problem?
On 15th April, a leaked letter from Yosry Barsoum VP at MITRE warned that the contract between MITRE and the US government was to expire the day after. This contract was given to MITRE by CISA (Cybersecurity and Infrastructure Security Agency) and was responsible for both the CVE and CWE (Common Weakness Enumeration) programmes.
This leak/report sent shockwaves around the cybersecurity world, because software, processes, operations and personnel heavily relied on the database firstly being available, but also current.
After 24hrs of panic, the following statement was put out by Yosry Barsoum
“Thanks to actions taken by the government, a break in service for the CVE Program, and the Common Weakness Enumeration (CWE) Programme has been avoided. As of Wednesday morning, 16 April, 2025, CISA identified incremental funding to keep the programmes operational. We appreciate the overwhelming support for these programmes that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support Mitre’s role in the program and Mitre remains committed to CVE and CWE as global resources,”
So the contract has been extended by 11 months to March 16 2026. Great news right? Or is it?
The Ongoing Issue
Well first off, this contract may have been extended but that is not true for all MITRE contracts. In fact MITRE has been hit by DOGE redundancies to the tune of 400 roles as soon as June this year. The lack of funding moving forward for a system so critical not just to the US, but worldwide, just shows how the vulnerability supply chain is as weak as any other.
This instability is compounded by the political changes in the US. With more than just trade wars in play, this may instigate a more de-centralised CVE approach. It will certainly bring the question forward into many government conversations as to what, if any, action they’re going to take in the next 12 months.
What are the alternatives?
The European equivalent of CVE was announced last year but swiftly brought online last week by ENISA (European Network and Information Security Agency) which is in accordance with the NIS2 directive, it can be found here.
Although this could provide some continuity should the CVE database funding cease next year, it isn’t neutral (much like CVE) and isn’t decentralised.
Interestingly, members of the existing CVE board have registered a domain and put out a statement that can be found here declaring their intention to found a net-neutral platform to take over from MITRE and from the US government.
They claim to have been working on this for the past 12 months and intend on providing further details on their strategy over the coming days and weeks.
On top of that, Luxembourg – a country famous for being neutral – have publicised their own CVE project, GCVE which intends to build on top of the CVE system to enhance it but without being reliant on any single authority.
I’m sure there are many other CVE-esque projects being spun up as we speak, and it certainly seems like a race to ‘take over’ as such, a bit like the VHS vs Betamax battle of the 80’s (not that I’m old enough to remember obviously) or for you younger folk, iOS vs Android.
Until then, it’ll be interesting to see what the heavily funded Cybersecurity companies decide to do, as CVE is foundational to many products and may well sway the decision. But one thing that’s glaringly obvious is the big hole that could be left in almost every product, every process and the established way of tracking threats in organisations worldwide if this issue isn’t resolved. Let’s watch this space…
