CVE program to track security flaws is about to lose federal funding

Funding is about to expire for the Common Vulnerabilities and Exposures (CVE) program — the system used by major companies like Microsoft, Google, Apple, Intel, and AMD to identify and track publicly disclosed cybersecurity vulnerabilities. The program helps engineers identify how bad an exploit is and how to prioritize applying patches or other mitigations.

MITRE, the federally funded organization behind the program, confirmed to The Verge that its contract to "develop, operate, and modernize" CVE will expire on April 16.

The CVE program, first launched in 1999, has a database where participating organizations can assign IDs to known cybersecurity vulnerabilities. The ID consists of the letters "CVE" followed by a year and a number, such as CVE-2022-27254, which allows security professionals to monitor details about vulnerabilities that could affect the devices we use every day and the systems that contain information critical to practically everything we do.

Lukasz Olejnik, a security and privacy researcher, said in a post on X that a lack of support for CVE could "disable" cybersecurity systems worldwide. "The result would be a lack of coordination between vendors, analysts, and defense systems — no one would be certain they were referring to the same vulnerability," Olejnik wrote. "Total chaos, and a sudden weakening of cybersecurity across the board."

“The government is making great efforts to support MITRE’s role in the program and MITRE is committed to CVE as a global resource,” Yosri Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, said in a statement emailed to The Verge. Barsoum also said the change would affect the Common Weakness Enumeration program, which catalogs hardware and software vulnerabilities.

The news was first seen in a leaked letter to CVE board members posted on X and BlueSky. According to a video about the program, MITRE receives funding from the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to “operate and grow the CVE program as an independent, objective third party.”