MITRE CVE Program Funding Set To Expire

MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. The lack of certainty surrounding the future of the CVE program creates great uncertainty about how newly discovered vulnerabilities will be cataloged.

Background

On April 15, reports circulated that the contract for funding the Common Vulnerabilities and Exposures (CVE) program along with other related programs, such as Common Weakness Enumeration (CWE), would be expiring on April 16. The letter below was sent to CVE Board Members and published on social media and other fora announcing the expiration of these programs:

The legitimacy of this letter and its contents was confirmed by cybersecurity journalist Brian Krebs in a post on Mastodon. Tenable has also independently confirmed the letter’s legitimacy.

CVE program importance

While flawed in some ways, the CVE program, which recently celebrated its 25th anniversary, has been an important pillar in cybersecurity for over two decades. It provides a common taxonomy for cybersecurity solutions and organizations to track vulnerabilities and exposures. Since its launch in 1999, the CVE program has published over 250,000 CVEs as of the end of 2024.

Risk to CVE program

With the report that the funding for the CVE program is potentially set to expire on April 16, the biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities. While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities. The historical CVE database will remain intact on GitHub following the expiration of the CVE program. However, MITRE’s CVE program also provides a centralized repository of CVEs from which many organizations fetch data and this may disappear. The lack of this centralized repository will create difficulties going forward for tracking new and noteworthy vulnerabilities under a common identifier.

Tenable’s response to the potential expiration of the MITRE CVE program

Tenable is closely monitoring the situation surrounding the possible expiration of the CVE program funding.

Last year, when we learned about NIST’s National Vulnerability Database (NVD) experiencing delays surrounding analysis efforts, we highlighted that Tenable Vulnerability Management products utilize a diverse range of sources for CVSS scoring and our customers experienced little to no impact.

As a provider of vulnerability scanning technology, we are not dependent on the CVE program directly for our vulnerability coverage. We develop our vulnerability coverage against vendor advisories directly, and will continue to do so, so long as vendors make those advisories available whether they contain CVE identifiers or not. Tenable also provides its customers with a richly sourced and curated Vulnerability Intelligence feed that provides contextualized information for any given vulnerability, regardless of a CVE assignment or not.

Tenable is a CNA, and we allocate CVEs for our vulnerability disclosures through our Tenable Research Advisories page. We also have reserved a large number of CVE designators for disclosures to ensure the cybersecurity community has clear identity for future discovered vulnerabilities.

As new developments surrounding the CVE program emerge, we will update this blog post accordingly.

Get more information

• MITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty