On April 16, a foundational piece of the world’s cybersecurity infrastructure may quietly grind to a halt, MITRE’s stewardship of the Common Vulnerabilities and Exposures program—a backbone of coordinated vulnerability disclosure for more than two decades—is facing an uncertain future as its U.S. Department of Homeland Security contract expires. Without confirmed renewal or replacement, the industry risks entering a period of dangerous opacity in vulnerability tracking…
For the cybersecurity community, this isn’t a minor bureaucratic lapse. It’s a five-alarm fire.
What CVE and CWE Mean for Cybersecurity
For those outside the security trenches, it’s easy to overlook how essential the CVE and CWE – or Common Weakness Enumeration – programs have become. CVEs assign standardized identifiers to software vulnerabilities, making it easier for security researchers, vendors, and IT teams to communicate and prioritize fixes. The CWE program, a related effort, categorizes common coding errors that introduce those vulnerabilities in the first place.
Together, they form the connective tissue for a global ecosystem of security tooling and coordination. From vulnerability scanners to patch management systems and threat intel feeds, thousands of tools and workflows rely on up-to-date CVE data. Vendors use CVEs to issue advisories and coordinate disclosures. Security teams use them to track risks and drive remediation. Even government agencies like CISA and the DoD rely on CVEs as a core part of their threat modeling and defensive planning.
Which is why the looming shutdown is so alarming.
MITRE’s Contract Expires—and There’s No Backup Plan
MITRE has confirmed that its DHS contract to manage the CVE and CWE programs is set to lapse on April 16, 2025, and as of now, no renewal has been finalized. This contract, renewed annually, has funded critical work to keep the CVE program running, including updates to the schema, assignment coordination, and vulnerability vetting.
“Failure to renew MITRE’s contract for the CVE program, seemingly set to expire on April 16, 2025, risks significant disruption,” said Jason Soroko, Senior Fellow at Sectigo. “A service break would likely degrade national vulnerability databases and advisories. This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”
MITRE has indicated that historical CVE records will remain accessible via GitHub, but without continued funding, the operational side of the program—including assignment of new CVEs—will effectively go dark. That’s not a minor inconvenience. It could upend how the global cybersecurity community identifies, communicates, and responds to new threats.
A Single Point of Failure in a Global System
Greg Anderson, CEO and founder of DefectDojo, voiced what many in the community are feeling: “MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place.”
Anderson added a sobering thought experiment: “If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.”
