Global cybersecurity program CVE developed by ‘the most important company you’ve never heard of’ loses US federal funding, say reports
A critical cybersecurity program called Common Vulnerabilities and Exposures (CVE) and relied upon by the US government and organizations around the world has reportedly lost its US federal funding, according to a leaked internal communication and subsequent media coverage.
Yosry A. Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, informed members of the CVE Board in a letter dated April 15 that the contract supporting the program and related programs were ending.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum wrote. The letter surfaced on social media shortly after.
Cybersecurity reporter David DiMolfetta of Nextgov/FCW reported that a spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) confirmed the agency was the primary sponsor of the CVE Program and stated it was “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
Established in 1999 by MITRE, the CVE system provides a standardized method for identifying and tracking publicly disclosed cybersecurity vulnerabilities. Each vulnerability is assigned a unique CVE identifier, allowing information technology professionals to share, prioritize and address software flaws more effectively. The program is widely regarded as the de facto international standard for vulnerability identification.
MITRE, a not-for-profit organization, has played a foundational role in US cybersecurity and national defense innovation since its inception in 1958. Sponsored by the U.S. Air Force to lead development of the Cold War-era Semi-Automatic Ground Environment (SAGE) air defense system, MITRE was created to bridge academia and industry as an independent advisor to the federal government. The organization has since contributed to advances across radar systems, cybersecurity, aviation safety, GPS, cancer research, artificial intelligence and synthetic biology.
Fast Company once described MITRE as “the most important company you’ve never heard of.” Its intellectual property supports national and global security efforts in aviation, healthcare and cybersecurity.
In response to the reported loss of federal funding, VulnCheck, an exploit intelligence firm that supports vulnerability prioritization, pledged its support for MITRE and the CVE program.
“VulnCheck is actively monitoring the MITRE situation, and will ensure that our customers, partners, and the entire cybersecurity community will have continued access to timely, accurate vulnerability data,” said VulnCheck founder and CEO Anthony Bettini in a press release.
The company announced several measures to help mitigate potential service disruption. These include continuing CVE assignments, pre-allocating 1,000 CVE identifiers for 2025, and providing CVE List V5 to its Community intelligence tier starting April 16.
VulnCheck also launched a vulnerability reporting service at https://vulncheck.com/advisories/report, and reaffirmed its commitment to supporting CVE Numbering Authority (CNA) collaboration within the cybersecurity ecosystem.
