The US government has ended funding for the Common Vulnerabilities and Exposures (CVE) program, a 25-year-old initiative that plays a crucial role in vulnerability management. The program, which is responsible for assigning unique CVE ID numbers to specific vulnerabilities, will continue without funding unless another entity steps in.
The CVE program, operated by MITRE under a contract with the US Department of Homeland Security, has been a cornerstone of cybersecurity globally. However, with no immediate replacement in sight, concerns are growing about the potential impact on critical infrastructure and national security.
Unless someone else takes over, new vulnerabilities will not be published, and the program’s website may go offline. This could lead to chaos in vulnerability management efforts worldwide. The lack of funding has already prompted calls for the industry to step in and fill the void.
Industry experts warn that a pause in CVE support would put organizations at risk of non-compliance with regulations and directives. With over 40,000 new vulnerabilities published last year alone, the consequences of losing this critical resource are dire.
In an 11th-hour reprieve, the US government has agreed to continue funding the CVE program. However, the long-term implications remain uncertain, and the security industry must be prepared to step in and ensure that vulnerability management efforts continue uninterrupted.
Source: https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve