U.S. Government Funding For CVE Cybersecurity Program Set to Expire

The Common Vulnerabilities and Exposures (CVE) program faces an uncertain future as the U.S. government has not renewed its contract to support the initiative through the nonprofit organization MITRE, and it expires today, April 16. Cybersecurity experts are now warning of potential global security consequences.

The CVE program, launched in 1999, has been designed to develop an ID system and help engineers and organizations identify, apply patches, and mitigate vulnerabilities worldwide. Considering a code that begins with the letters “CVE” followed by the year and a unique number—such as CVE-2024-50050 found in Meta’s AI Framework or the Chrome zero-day vulnerability CVE-2025-2783 spotted a few weeks ago—the program organizes and keeps control of global vunerabilities.

The MITRE Corporation has been maintaining and operating the CVE system since its founding and has been consistently receiving financial support from the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for the past 25 years.

An internal letter sent from Yosry Barsoum, VP and Director of the Center for Securing the Homeland (CHS) at MITRE, to board members of the CVE has been leaked and shared publicly on Bluesky.

“We want to make you aware of an important potential issue with MITRE’s enduring support to CVE,” states the document. “On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.”

The Verge has confirmed the information disclosed on the social media platform and reached out to Barsoum who assured that the government is making efforts to continuing to support MITRE, and that, in the meantime, the Common Weakness Enumeration (CWE) program—which focuses on software and hardware vulnerabilities—will also be affected.

Cybersecurity researcher Lukasz Olejnik shared his concerns on X. “The Trump administration will effectively (at least temporarily) cripple the global cybersecurity system,” he wrote in a post. “The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos, and a sudden weakening of cybersecurity across the board.”

By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE. What is CVE? It is a global system for identifying and tracking vulnerabilities that has served as a common language for… pic.twitter.com/WBCdLz0DdT

— Lukasz Olejnik (@lukOlejnik) April 15, 2025

Other experts and organizations, including MITRE, expect to find other funding sources and alternatives for the CVE program to continue its service and operations regularly.