CVE wake-up call: What's ahead after the MITRE funding fiasco

On April 15, 2025, the cybersecurity community was jolted by the announcement that the U.S. government would not be renewing its contract with MITRE to manage the Common Vulnerabilities and Exposures (CVE) Program, which MITRE has overseen for 25 years. This sudden development raised concerns about the future of vulnerability tracking, as MITRE plays a crucial role in assigning and managing CVE IDs, working alongside organizations like CISA and Red Hat. However, CISA has temporarily extended MITRE's funding, providing a brief respite, but the contract is set to expire in 11 months, prompting discussions on alternative governance structures for the CVE Program, such as the CVE Foundation. The situation highlights the need for decentralizing vulnerability management and exploring solutions like the EUVD and GCVE, as federal budget cuts and lapsing cyber contracts, including those affecting MS-ISAC and the Election ISAC, create instability in the cybersecurity landscape. Organizations are encouraged to diversify their sources of vulnerability intelligence and strengthen partnerships to ensure resilience in the face of potential changes in the management of cybersecurity vulnerabilities.