The CVE program for tracking security flaws is about to lose federal funding

The CVE (Common Vulnerabilities and Exposures) program, used by major companies to track security flaws, will lose federal funding starting April 16th.
The CVE program, developed and operated by MITRE, a federally funded organization, has been tracking publicly disclosed cybersecurity vulnerabilities since its launch in 1999.
A lack of support for CVE could “cripple” cybersecurity systems globally, leading to a breakdown in coordination between vendors, analysts, and defense systems, according to security researcher Lukasz Olejnik.
The change will affect not only the CVE program but also the Common Weakness Enumeration (CWE) program, which catalogs hardware and software weaknesses.
MITRE remains committed to CVE as a global resource, despite the funding loss, and continues to receive support from the US Department of Homeland Security and the Infrastructure Security Agency (CISA).

Funding is about to run out for the Common Vulnerabilities and Exposures (CVE) program – a system used by major companies like Microsoft, Google, Apple, Intel, and AMD to identify and track publicly disclosed cybersecurity vulnerabilities. The program helps engineers identify how bad an exploit is and how to prioritize applying patches or other mitigations.

MITRE, the federally funded organization behind the program, confirmed to The Verge that its contract to “develop, operate, and modernize” CVE will expire on April 16th.

First launched in 1999, the CVE program houses a database where participating organizations can assign IDs to known cybersecurity vulnerabilities. The IDs consist of the letters “CVE” followed by a year and a number, such as CVE-2022-27254, allowing security professionals to monitor details about the vulnerabilities that may impact the devices we use every day and systems that contain information critical to practically everything we do.

Lukasz Olejnik, a security and privacy researcher, said in a post on X that a lack of support for CVE could “cripple” cybersecurity systems around the globe. “The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability,” Olejnik wrote. “Total chaos, and a sudden weakening of cybersecurity across the board.”

“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, said in an emailed statement to The Verge. Barsoum also said the change will affect the Common Weakness Enumeration program, which catalogs hardware and software weaknesses.

The news was first spotted in a leaked letter to MITRE board members posted on X and Bluesky. MITRE receives funding from the US Department of Homeland Security (DHS) and the Infrastructure Security Agency (CISA) to “operate and evolve the CVE Program as an independent, objective third party,” according to a video about the program.

link

Q. What is the CVE program used for?

A. The CVE program is used by major companies like Microsoft, Google, Apple, Intel, and AMD to identify and track publicly disclosed cybersecurity vulnerabilities.

Q. Who is behind the CVE program?

A. MITRE, a federally funded organization, is behind the CVE program.

Q. What will happen to the CVE program’s funding?

A. The CVE program’s contract with the US Department of Homeland Security (DHS) and the Infrastructure Security Agency (CISA) will expire on April 16th, resulting in a loss of federal funding.

Q. How long has the CVE program been around?

A. The CVE program was first launched in 1999.

Q. What is the purpose of the CVE database?

A. The CVE database allows participating organizations to assign IDs to known cybersecurity vulnerabilities, making it easier for security professionals to monitor and track them.

Q. Who warned about the potential consequences of losing CVE funding?

A. Lukasz Olejnik, a security and privacy researcher, warned that a lack of support for CVE could “cripple” cybersecurity systems around the globe.

Q. How will the loss of CVE funding affect other programs?

A. The change in funding will also affect the Common Weakness Enumeration program, which catalogs hardware and software weaknesses.

Q. Who is committed to continuing the CVE program as a global resource?

A. Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, stated that the government continues to support MITRE’s role in the program.

Q. What will be the impact of losing CVE funding on cybersecurity coordination?

A. A lack of support for CVE could lead to a breakdown in coordination between vendors, analysts, and defense systems, resulting in “total chaos” and a weakening of cybersecurity across the board.