Featured image of post MITRE Withdraws from CVE Program: Implications and the Transition to an Independent Foundation
General Knowledge

MITRE Withdraws from CVE Program: Implications and the Transition to an Independent Foundation

MITRE exits the CVE program ! What’s next for global cybersecurity? Discover how a new foundation aims to secure the future of vulnerability tracking.

Introduction

For over two decades, the Common Vulnerabilities and Exposures (CVE) program has served as a cornerstone of global cybersecurity infrastructure. By providing standardized identifiers for publicly known security flaws, CVE has enabled security professionals to speak a common language when discussing vulnerabilities. This naming system has been embraced by major tech companies such as Microsoft, Google, Apple, Intel, and AMD, and powers countless vulnerability databases and security tools worldwide (The Verge).

However, in April 2025, the CVE program entered a crisis. MITRE Corporation, the U.S. non-profit that had managed CVE since its inception, announced it would be stepping down from its leadership role due to the expiration of its government contract. This raised serious concerns about the continuity of the CVE list and the future of this critical resource. This article explores MITRE’s historic role in CVE, the reasons for its withdrawal, the global cybersecurity implications, and the formation of a new independent foundation to secure CVE’s future. We’ll also examine how the cybersecurity community reacted to the transition.

Background of the CVE Program and MITRE’s Role

CVE was launched in 1999 by MITRE to standardize the identification of software vulnerabilities (The Verge). Funded by the U.S. government, MITRE maintained the central CVE list under the oversight of the Department of Homeland Security (DHS) and its agency CISA, with an annual budget of approximately $40 million (Krebs on Security). MITRE also managed the CVE Board, a global expert committee, and coordinated over a hundred CVE Numbering Authorities (CNAs). This federated model enabled tens of thousands of new vulnerabilities to receive unique CVE identifiers each year, feeding into systems like the NIST National Vulnerability Database (NVD). MITRE also ran related projects like CWE (Common Weakness Enumeration).

Why MITRE Stepped Down

The crisis stemmed from the DHS/CISA decision not to renew MITRE’s contract past April 16, 2025. In a letter dated April 15, MITRE informed the CVE Board it could no longer sustain the system without funding (CVE Foundation). U.S. federal budget constraints appear to be a key factor (Krebs on Security). While similar funding uncertainties had occurred before, none had reached such a critical point (Krebs on Security).

Beyond budgetary issues, the centralized funding model had long raised concerns. Tying a global resource like CVE to a single government was seen as a structural risk (CVE Foundation). MITRE affirmed its commitment to CVE and CWE, but warned it could no longer maintain the system beyond the contract deadline. Without intervention, CVE.org would eventually shut down, and historical records would be archived on GitHub.

Global Cybersecurity Implications

The potential loss of CVE would be seismic. Jen Easterly, former CISA Director, compared CVE to the “Dewey Decimal System for cybersecurity” (Krebs on Security). Its absence would:

  • Break the common language: Without CVE IDs, identifying and coordinating around the same vulnerability becomes chaotic (The Verge).
  • Degrade vulnerability databases: Systems like the NVD couldn’t ingest new entries, rendering them outdated.
  • Disrupt defense tools: CVE powers vulnerability scanners, patch managers, and SIEM tools. Without it, detection suffers (Krebs on Security).
  • Delay patches, favor attackers: Fragmented info increases the risk of missing or misprioritizing fixes (Krebs on Security).

CVE is the backbone of cybersecurity. Its interruption would weaken global defenses.

The CVE Foundation: A New Chapter

To ensure continuity, a coalition of CVE Board members launched the CVE Foundation on April 16, 2025. This independent, nonprofit body is tasked with safeguarding CVE’s long-term stability and neutrality.

The foundation’s goals are to:

  • Continue delivering high-quality vulnerability identifiers
  • Ensure independence from any single government sponsor
  • Foster international, community-driven governance (CVE Foundation).

Kent Landfield of Trellix summarized it best: “CVE is too important to be vulnerable itself.” The foundation will reflect the global nature of today’s threats and build resilience by spreading governance and funding across multiple stakeholders.

A transitional solution was also enacted: CISA extended MITRE’s contract by 11 months, ensuring uninterrupted service into early 2026.

Community Reactions

The cybersecurity community responded with alarm and urgency. Security professionals took to social media to voice their concerns. John Hammond of Huntress called it a loss of the field’s “language and vocabulary” (Krebs on Security).

Industry leaders, many of whom sit on the CVE Board, rallied to support the transition. The new foundation was widely welcomed as a balanced, neutral way forward.

On the government side, CISA’s emergency action demonstrated the U.S.’s commitment to CVE. Meanwhile, ENISA launched the European Vulnerability Database (EUVD) as a complementary initiative, diversifying global infrastructure.

The broad consensus: CVE is a public good, and protecting it requires collective action.

Conclusion and Outlook

MITRE’s withdrawal marks a turning point. It revealed the structural fragility of relying on a single funder, but also catalyzed a global response. The CVE Foundation offers a hopeful path to a more resilient, representative, and sustainable governance model (CVE Foundation).

The months ahead will be critical as the foundation establishes its structure and funding base. Its success will depend on collaboration among governments, industry, and technical communities. Still, the strong, unified response in April 2025 bodes well: it shows the global cybersecurity ecosystem’s ability to adapt and protect its core infrastructure.

Ultimately, this transition could help transform CVE from a U.S.-funded system into a truly global effort, one that ensures the world’s digital defenders continue to speak the same language—together.

Sources: CVE Foundation, Krebs on Security, The Record, The Verge, BleepingComputer.

© 2025 Senthorus Blog