In a surprising move, the Department of Homeland Security (DHS) has decided to let its contract with the nonprofit organization MITRE expire, leaving the future of the Common Vulnerabilities and Exposures (CVE) program uncertain. The contract will officially end at midnight on April 16, 2025, according to a statement from MITRE’s vice president, Yosry Barsoum. With this decision, experts in the field are voicing serious concerns over the potential implications for the cybersecurity landscape.
The CVE program serves as a cornerstone for tracking vulnerabilities in software and is considered a global standard in managing these risks. “Without it, we can’t track newly discovered vulnerabilities,” stated Sasha Romanosky, a senior policy researcher at the Rand Corporation. The loss of the CVE’s structured approach could severely handicap the ability to gauge the severity of software flaws and take the necessary actions for remediation.
Ben Edwards, a principal research scientist at Bitsight, expressed his disappointment over the contract termination, calling it a “valuable resource” that deserves continued funding. He noted that while there is hope that other stakeholders might step in to fill the void left by MITRE, a transition would not be without challenges. “The federated framework and openness of the system make this possible, but it’ll be a rocky road if operations do need to shift to another entity,” he commented.
The cessation of the CVE program would have cascading effects on the cybersecurity ecosystem, warned Brian Martin, a vulnerability historian. He explained that without MITRE, the federated model which allows numerous authorities to assign CVE IDs will be disrupted, creating immediate ramifications for vulnerability management on a global scale. As the clock ticks down to the contract expiration, uncertainties loom regarding how vulnerabilities will be monitored and managed moving forward.
Sources have indicated that the decision to end funding is tied to broader government budget cuts affecting the Cybersecurity and Infrastructure Security Agency (CISA), which oversees the CVE program. Despite prior reductions in funding, some argue that the cost of maintaining the CVE program is relatively minor compared to cuts in other areas. Meanwhile, CISA has pledged to work urgently to mitigate the impact of this decision, asserting, “We are committed to maintaining CVE services on which global stakeholders rely.”
The future remains uncertain as to how stakeholders in the cybersecurity community will adapt following this critical turning point. Experts are now left to wonder if a private sector alternative will emerge to fill the vacuum, a situation being closely monitored by various institutions.