CVE program shutdown sparks a major crisis in cybersecurity, raising concerns about the future of global threat management. MITRE’s Common Vulnerabilities and Exposures (CVE) program could go dark on April 16, 2025, as its contract with the U.S. Department of Homeland Security (DHS) expires with no confirmed renewal in place.
This isn’t a small issue—it’s a major alarm for global cybersecurity. Without the CVE program, security professionals will lose a vital tool used to identify, communicate, and fix software vulnerabilities.
Why CVEs Matter So Much
The CVE program assigns ID numbers to known software flaws. These IDs help cybersecurity teams, software vendors, and governments stay aligned when threats emerge. Tools like patch management software, vulnerability scanners, and threat feeds all depend on CVE data. So do federal agencies like CISA and the Department of Defense.
The related CWE program, which classifies coding errors, also plays a big role. Without funding, both systems could stall.
MITRE’s Contract Expiring—No Backup Plan
MITRE confirmed its DHS contract expires on April 16, 2025. Unless renewed immediately, no new CVEs will be issued, and coordinated vulnerability disclosure could face major setbacks.
“Failure to renew the contract risks significant disruption,” said Jason Soroko, a senior fellow at Sectigo. “This lapse could negatively affect tool vendors, incident response, and critical infrastructure.”
MITRE says historical CVEs will remain on GitHub, but that’s not enough for a functioning cybersecurity defense.
A Fragmented Future Without CVEs
Security professionals are sounding the alarm. Greg Anderson, CEO of DefectDojo, warns of chaos: “Without CVEs, how do we even know we’re talking about the same vulnerability?” He adds that professionals already deal with 40,000+ CVEs per year, and losing this central system could cripple response times.
Imagine a major encryption flaw being discovered. Without a CVE ID, different groups might name it differently, and confusion could delay critical patches.
Urgency for Government Action
MITRE says discussions with DHS are active, but time is running out. Casey Ellis, founder of Bugcrowd, called this a “national security problem in short order.” The CVE system underpins everything from vulnerability management to defense infrastructure protection.
This Is a Wake-Up Call
Regardless of how this situation resolves, it’s a warning: a system this vital can’t be allowed to hang by a thread every year. The CVE program needs stable, long-term funding and a governance model that ensures it never goes offline again.
Cyber threats don’t wait—and we can’t afford to either.
Source: Forbes
