HQ/EMEAFind out how we can help your business
The CVE (Common Vulnerabilities and Exposures) database program, a cornerstone of global cybersecurity, narrowly avoided a major disruption after US government funding was extended just hours before a critical deadline. The funding crisis, which sparked alarm across the international security community, highlighted serious concerns about the sustainability of a system relied upon by governments, tech companies, and defenders worldwide.
MITRE warned that the CVE database could shut down without funding, risking global software vulnerability tracking.
MITRE, the non-profit organisation that has operated the CVE database for 25 years, had warned that its contract with the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) was set to expire on April 16, 2025. Without renewal, critical services supporting the CVE database and the related Common Weakness Enumeration (CWE) program would cease, potentially leading to chaos in tracking software vulnerabilities.
The CVE database catalogues more than 274,000 publicly disclosed security flaws and assigns each one a unique CVE ID, allowing security teams, vendors, and governments to communicate clearly about threats. It serves as the global standard for identifying and addressing software vulnerabilities, with major players such as Microsoft and Linux relying on it for coordinated patching efforts.
Former CISA Director Jen Easterly compared losing the CVE system to removing the card catalogue from every library, warning that it would leave defenders disoriented and attackers empowered. Industry experts, including MITRE and cybersecurity firms, stressed that no viable alternative currently exists that matches the CVE system’s global adoption and integration into daily operations.
Amid mounting concern, CISA acted late on April 15 to renew the funding contract for an additional 11 months. However, the short-term nature of the extension triggered further calls for long-term solutions. In response, members of the CVE Board announced the launch of the CVE Foundation, a new non-profit created to ensure the CVE programme’s future independence and stability.
The foundation, developed over the past year by key stakeholders, aims to reduce reliance on a single government sponsor and create a more resilient and community-driven structure. “CVE is too important to be vulnerable itself,” said Kent Landfield, an officer of the new foundation. “The formation of the CVE Foundation removes a single point of failure and reinforces trust in a globally critical system.”
Meanwhile, the European Union is taking steps to diversify the global vulnerability landscape by launching its own EU Vulnerability Database (EUVD), showing that international cooperation on cybersecurity is becoming more vital than ever.
The future of the CVE database now rests on a dual path: the temporary extension of US funding and the emerging support of the CVE Foundation. As cyber threats grow more complex and cross-border, ensuring the continuity and resilience of essential tools like the CVE database is no longer optional — it is imperative.
