Uncle Sam abruptly turns off funding for CVE program. Yes, that CVE program
- Reference: 1744761647
- News link: https://www.theregister.co.uk/2025/04/16/homeland_security_funding_for_cve/
- Source link:
The 25-year-old CVE program plays a huge role in vulnerability management. It is responsible overseeing the assignment and organizing of unique CVE ID numbers, such as [1]CVE-2014-0160 and [2]CVE-2017-5754 , for specific vulnerabilities, in this case OpenSSL's [3]Heartbleed and Intel's [4]Meltdown , so that when referring to particular flaws and patches, everyone is agreed on exactly what we're all talking about.
It is used by companies big and small, developers, researchers, the public sector, and more as the primary system for identifying and squashing bugs. When multiple people find the same hole, CVEs are useful for ensuring everyone is working toward that one specific issue.
CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk
While the whole world's vulnerability management efforts aren't going to descend into chaos overnight, there is a concern that in a month or two they may. The lack of US government funding means that, unless someone else steps in to fill the gap, this standardized system for naming and tracking vulnerabilities may falter or shut down, new CVEs may no longer be published, and the [5]program's website may go offline.
Not-for-profit outfit MITRE has a contract with the US Department of Homeland Security to operate the CVE program, and on Tuesday the group confirmed this arrangement has not been renewed. This comes as the Trump administration scours around the federal government for costs to trim.
[6]
"On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire," Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland, told The Register .
[7]
[8]
"The government continues to make considerable efforts to support MITRE's role in the program and MITRE remains committed to CVE as a global resource," Barsoum added.
The Common Weakness Enumeration program is a centrally managed [9]database of bug types.
[10]
The expiration came to light after a letter sent to CVE program board members was [11]leaked on Bluesky. In that memo, Barsoum confided:
If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.
Historical CVE records will at least remain [12]available at GitHub .
"CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk," Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft's vulnerability disclosure program, told The Register .
"All industries worldwide depend on the CVE program to keep their heads above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills," Moussouris said.
It basically works like this: When an individual researcher or an organization discovers a new bug in some product, a CVE program partner — there are currently [13]a few hundred across 40 countries — is asked to assess the vulnerability report and [14]assign a unique CVE identifier for the flaw if and as necessary.
[15]
The program is [16]sponsored , and largely [17]funded by the Cybersecurity and Infrastructure Security Agency, aka CISA, under the umbrella of the US Department of Homeland Security.
"I can say that, having been in this industry for longer than CVEs themselves, it won't be good," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register .
I can say that, having been in this industry for longer than CVEs themselves, it won't be good
"Before CVEs, each company referred to vulnerabilities using their own vernacular," he added. "Customers were confused about whether they were protected or impacted from a particular bug. And was a time when there were much fewer companies and infinitely fewer bugs."
To put this in perspective: More than [18]40,000 new CVEs were published last year.
"If MITRE were to lose funding for the CVE, we can expect considerable confusion again until someone else picks up the flag," Childs continued, noting that this would require some sort of industry consortium — but nothing along those lines currently exists.
"Vulnerability management will become a mess as enterprises struggle to confirm they are in compliance with regulations and directives," he said. "Let's hope this is resolved quickly."
[19]MITRE rolls out new CVE system after Reg reveal
[20]MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest
[21]NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
[22]Cyber congressman demands answers before CISA gets cut down to size
[23]As CISA braces for more cuts, threat intel sharing takes a hit
VulnCheck, a private vulnerability intel company that is also a CVE Naming Authority, aka CNA, on Tuesday said it has proactively [24]reserved 1,000 CVEs for 2025.
Still, this only preserves the functionality of the program for a couple months at best.
The security industry needs to step in to fill the void
"MITRE, as a CNA, issues between 300-600 CVEs each month, so by reserving 1,000 hypothetically, we can assign a CVE to vulnerabilities for 1-2 months as long as the core service continues," Patrick Garrity, security researcher at VulnCheck, told The Register .
"The CVE program is a critical resource globally used by nearly every organization in the world, so the implications of a pause will have downstream implications for security tooling, security teams, and every organization that cares about security," he added.
"It would be terrible to see government funding for the CVE program go away, but we also believe that this is a time when the security industry needs to step in to fill the void." ®
Get our [25]Tech Resources
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
[3] https://www.theregister.com/2014/04/09/heartbleed_explained/
[4] https://www.theregister.com/2018/01/02/intel_cpu_design_flaw/
[5] https://cve.mitre.org/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_8raWpvd-6awguK-FZ9NQAAAk0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_8raWpvd-6awguK-FZ9NQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_8raWpvd-6awguK-FZ9NQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://cwe.mitre.org/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_8raWpvd-6awguK-FZ9NQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://bsky.app/profile/tib3rius.bsky.social/post/3lmulrbygoe2g
[12] https://github.com/CVEProject
[13] https://www.cve.org/PartnerInformation/ListofPartners
[14] https://blog.httpcs.com/en/cve-en/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_8raWpvd-6awguK-FZ9NQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.cisa.gov/known-exploited-vulnerabilities#:~:text=The%20CVE%20Program%20is%20sponsored,catalog%20publicly%20disclosed%20cybersecurity%20vulnerabilities.
[17] https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001
[18] https://jerrygamblin.com/2025/01/05/2024-cve-data-review//
[19] https://www.theregister.com/2016/03/18/mitre_rolls_out_new_federated_faster_cve_system_after_iregi_reveal/
[20] https://www.theregister.com/2016/05/25/mitre_fighter_deploys_name_logo_website_combo_in_cve_plea/
[21] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[22] https://www.theregister.com/2025/04/14/swalwell_cisa_cuts/
[23] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[24] https://www.linkedin.com/feed/update/urn:li:activity:7318000766122618881/
[25] https://whitepapers.theregister.com/
When wet dreams become reality.
Lots of fun characters around the world are looking to create some new mischief. Cue the NORKs, the "Internet Research Agency" in the USSR, etc.
Since a lot of the CVEs have to do with industrial control systems this could be a fun time to handle crises at major utilities.
Unfortunately the fine article doesn't mention how much the classification of those 40.000 2024 vulnerabilities cost. Is there any good reason why this money should come out of the USA taxpayers' pockets only? Is there a good reason why all this money ends up in US employees' pockets? Shouldn't the other international stakeholders pay their share (or get paid) for the operation of this useful service?
As the article said, one possibility is to fund this by voluntary contributions from companies. I honestly wouldn't be surprised if that happened because this is commonly used, though let's remember that sometimes, companies that do something like this try to exert some control over it, for example [1]Google's version where you had to register with them for the privilege of reading it . If some other government wants to fund it, those of us who work in security will be happy to see their funding used to keep the service alive. The general utility of it is why it made sense to fund it as a public good, but I don't remember too many governments volunteering to help with the bill.
As for shouldn't non-Americans be paid for it, until now, the funding was coming from the US government. Is it that surprising that they chose a US institution to manage it? You can complain about it being US-run or you can complain about the US having to pay for all of it, but trying to complain about both simultaneously makes you sound like you just want to complain and are using all available paths to do so. The [2]contract isn't clear about the amounts. From my reading, Mitre received $29 million for two years, but I'm not sure that all the $14.5 million annually went to the various databases listed. Mitre does various other things, and I don't know if any of those were also included in the contract.
[1] https://www.theregister.com/2021/02/11/google_osv_database
[2] https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001
Read the first comment. This isn't just a transactional service, years of soft diplomacy are built on this kind of stuff. Without that, US hegemony is destablised even further.
> Shouldn't the other international stakeholders pay their share
That is the direct Trumpian line: the US should pull out of anything where they are "being taken advantage of".
BUT even making "Is there any good reason why this money should come out of the USA taxpayers' pockets only?" the first - or only - question to ask is going about things arse backwards.
The first, the most important, question, whose answer overrules anything else, is: "Do we - the US - risk more costs by NOT having this programme?" (or "Are we getting our money's worth?" or "Will we really, really regret not spending this?" or a dozen other ways to ask the same thing). To which the answer is YES!
If we accept that the US taxpayer paying for this is in its own interests, should they kep it to themselves? Well, will that be cost-effective? Nope, of course it won't, don't be ridiculous. Bug hunting is a world-wide endeavour. If the US list is inly visible to the US, why would anybody in any other country ever bother handing over information they've found? Especially if there was any cost attached to finding it. So should the US pay the costs of all these bug hunters across the globe just to fill the US database? Is there a cheaper option? How about - just let the database be readable by everyone and accept submissions by everyone. Not only does the US then gain even more for its money, it saves on having to set up the systems to prevent global access whilst still allowing full access within the US: unless a Great American Firewall sounds like something that ought to be built anyway.
The bottom line is that it is far, far cheaper to run a globally useful system like this than not to run it. Even when you just look at the cost benefits of one player.
To risk it just because you want to ask "why should we be the only ones to pay?" is the absolute epitome of cutting off one's nose to spite one's face. It is putting paranoia and xenophobia before even bothering to calculate the balance sheet.
"But, but, everyone else is ripping us off! They should pay! It doesn't matter if we are acting solely in our own interests, if *we* are getting far more value back than we are spending, *they* don't deserve to get anything for free!".
Ah, the clarion call of the truly mean spirited.
And those unable to comprehend Soft Power and that they are getting back even more value than they have bothered to write into their spreadsheets whilst reading the above: there is a reason why, when buying a business, you pay for the Goodwill that has ben accrued.
No wonder the prices of hotdogs and marshmellows are rising...
...the world may be burning but people still have to eat.
I really wish that this surprises me but it doesn't.
80 years of truly staggering amounts of soft power. Pissed away in just a few months. It would be hilarious if it wasn't so stupid and terrifying.