U.S. President Donald Trump has cut funding for the global database of security flaws, the Common Vulnerabilities and Exposures database from Apr. 16. The not-for-profit organization that runs the database, MITRE, confirmed its contract with the U.S. Department of Homeland Security to operate the CVE Program has not been renewed.
The funding cut for the 25 year old CVE program — which is globally relied upon to identify and mitigate security flaws — is part of a cost-cutting drive by the Trump administration.
The move to cut CVE funding is certainly a concern — especially given how suddenly it seems to have happened. Here is what happened, what it means for global security and what to do next,
What Happened And Why?
MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire now, warning that it could be a disaster for security. The news came via a letter on social network BlueSky.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum wrote in a letter published on Bluesky.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
It comes as the U.S. Department of Homeland Security’s national security research subdivision, the Science and Technology Directorate, will stop current grants and refocus its mission priorities.
“CISA is the primary sponsor for the CVE program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation’s critical infrastructure at risk,” a CISA spokesperson told me via email.
Although CISA’s contract with the MITRE Corporation will lapse after Apr. 16, CISA said it is “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
Why Is The Cut To CVE Funding Bad?
Known by all in the security community inside the U.S. and out, the CVE system is a global reference method for publicly-known security flaws.
Launched in 1999, the CVE system is maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the US National Cyber Security Division of the US Department of Homeland Security.
CVE IDs are listed on MITRE’s system as well as in the U.S. National Vulnerability Database.
The CVE database is “critical for anyone doing vulnerability management or security research,” and for “a whole lot of other uses,” security journalist Brian Krebbs wrote on Mastodon. “There isn’t really anyone else left who does this, and it’s typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information, btw.”
America’s abrupt pullback from leadership roles “in this case coordinating the near global issue of CVEs for vulnerabilities” will “place a heavy burden on global cyber defenses,” says Ian Thornton-Trump, CISO at Inversion6.
It will impact global response capabilities to CVE exploitation such as “HeartBleed” among vulnerability and attack surface management companies, says Thornton-Trump.
Thornton-Trump concedes the immediate impacts might be “minimal” but says the move is now “helpful to our adversaries.”
Cutting the CVE program funding is “a huge blow to the cybersecurity community,” says William Wright, CEO of penetration testing firm, Closed Door Security. “Many of today’s ransomware attacks and data breaches are executed by adversaries exploiting vulnerabilities. Without a common destination to log vulnerabilities, so organizations can take steps to patch them, they could be more vulnerable to attack.”
The CVE Funding Cut’s Impact On Global Cybersecurity
However, the news might not be quite as bad as it seems. It’s important to understand that MITRE does not operate the National Vulnerability Database, this is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. “This is an important distinction since most vulnerability scanners use the NVD as the source of vulnerabilities to do their scanning.”
While MITRE does assign CVEs IDs, there are also CVE Naming Authority, that can also assign CVE IDs, says Wright. “It is important to note that while MITRE is the source of CVE IDs, most security tooling leverages the National Vulnerability Database for their source of vulnerabilities. This is operated by NIST, and to the best of our knowledge at this time, the operation of this database will not be impacted.”
He says the recent news about MITRE’s contract would likely only affect new vulnerabilities. “Historical vulnerabilities should not be affected. It’s important to call this distinction out, as there’s already been some confusion.”
The question remains if the contract for MITRE is not renewed, how or if the organization will continue the CVE program, asks Wright, “Given that we now have a larger number of CVE numbering authorities now also issuing CVEs, it is possible that the impact of this recent news may not be as big as first thought. However with the limited information that we have, it’s not possible to tell.”
CVE Funding Cut — What To Do Next
MITRE said historical CVE records will be available on GitHub, but future CVEs still hang in the balance.
Hopefully another organization will step in to provide the funding, or countries will band together to offer support, says Closed Door Security’s Wright. “But until then, the world may have lost one of its greatest security resources.”
It is possible funding will move to one of the big players in global cybersecurity, or perhaps a consortium. “The health of the CVE MITRE database is undoubtedly of global benefit,” says Matt Saunders, DevOps lead at The Adaptavist Group. “There’s an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest — though there are also inevitable concerns around it falling into the hands of a single private entity.”
Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart. “Organizations should lean more heavily on resources like CISA’s Known Exploited Vulnerabilities list, the NVD (if it remains online), and coordinate closely with software vendors. However, there is no true replacement for CVE.”
For now, the best thing to do is hold tight and use the resources available to you. The CVE funding cut isn’t the end of the world, but it’s still a worrying move that potentially reduces security for everyone.
