Mitre confirmed that federal funding will run out Wednesday for its central role in operating the Common Vulnerabilities and Exposures (CVE) program, a key system for vulnerability management across industry and the public sector.
After a letter circulated on social media Tuesday indicating that the current contract runs out Wednesday, the not-for-profit organization verified the authenticity of the letter in an email statement to CRN.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire,” said Yosry Barsoum, vice president and director of the Center for Securing the Homeland at Mitre, in the statement.
Barsoum added in the statement that the “government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
Advertisement
The Mitre letter posted on multiple social media sites Tuesday, which was addressed to a CVE board member and signed by Barsoum, said that the “current contracting pathway” for Mitre’s work on the CVE program will expire Wednesday.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum wrote in the letter.
In an email comment provided to CRN, Bugcrowd founder Casey Ellis said that the CVE program “underpins a huge chunk of vulnerability management, incident response and critical infrastructure protection efforts.”
“A sudden interruption in services has the very real potential to bubble up into a national security problem in short order,” Ellis said in the email comment.