UPDATE: In a last minute reversal announced early Wednesday, U.S. officials said MITRE Corp's Common Vulnerabilities and Exposures database would retain funding. The news comes less than 24 hours after MITRE announced funding to run the program would end April 16.
(Editor's Note: This article was updated 4/16 at 9:30 am ET to reflect most recent news developments.)
On Tuesday, MITRE announced a series of cuts by the Trump administration could throw the future of the core cybersecurity institutions into jeopardy. The de-funding of MITRE was in line with similar cuts to Exposures (CVE) Program and National Vulnerability Database and the Cybersecurity and Infrastructure Security Agency (CISA) earlier this year.
Also See: CISA funds CVE program in the 11th hour of contract with MITRE
The MITRE organization said in a letter to its board members Tuesday that its contract with the government to operate the Common Vulnerabilities and Exposures Program will expire on April 16, and it will no longer be able to operate the system or assign CVE classifications to new security vulnerabilities.
On Wednesday MITRE leadership did an about-face and issued a short statement stating there would be "no lapse in critical CVE services."
MITRE’s CVE classifications program enables authorized organizations, called CVE Numbering Authorities (CNAs), to identify, assign, and publish unique CVE IDs for publicly known cybersecurity vulnerabilities. The process is critical to the cybersecurity community because it is the de facto standard for ensuring consistent, centralized tracking and disclosure of cybersecurity vulnerabilities. This allows for fast coordinated defenses and remediation of vulnerabilities across the global security ecosystem.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of the national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” stated MITRE Vice President Yosry Barsoum in the letter circulated widely on Tuesday.
In a statement to the media, Barsoum confirmed that funding from the Department of Homeland Security will expire and added that "the government continues to make considerable efforts to support MITRE's role in the program."
The federally funded organization is tasked with overseeing one of the foundational pillars of the cybersecurity ecosystem, the CVE Program, which is relied upon by organizations in the cybersecurity industry, as well as the government and critical infrastructure, for vulnerability identification and management. The program anchors the cybersecurity vendor market worth more than $37 billion by providing data to vendor products, according to MITRE.
The non-profit government contractor MITRE said earlier this month that it would be laying off some 442 staff after the Trump administration's Department of Government Efficiency (DOGE) canceled more than $28 million in MITRE contracts, according to the publication Virginia Business.
The news comes weeks after the National Institute of Standards and Technology (NIST) announced that it was no longer reviewing CVEs before 2018 as it faces a potential layoff of at least 500 probationary employees from the Trump administration.
“What happens now is heavily dependent on if MITRE can secure funding for CVE in the short term,” explained vulnerability historian Brian Martin.
“They have been funded through DHS for most of their tenure, and this cut suggests that more widespread cuts at DHS impacted them.”
Security executives said that any shutdown of the system would have an immediate and significant impact on the vulnerability landscape.
“Without the CVE program, one non-governing body may name the issue 'The worst encryption flaw ever,' but another non-governing body names the issue 'A terrible encryption flaw,' both not using the CVE-20XX-XXXX identification protocol,” explained Greg Anderson, CEO of DefectDojo. “Without CVEs, how do we even know we’re talking about the same issue?”
Others agreed that there will likely be a significant disruption both for security vendors and their customers.
Shane Fry, CTO of RunSafe Security, said in an email to SC Media that if there is a break in service from DHS ceasing to sponsor the MITRE CVE Program, "there will be more chaos around the latest vulnerabilities, slower defense and greater global risk."
“Patching and mitigation response times will be significantly impacted, and it will be challenging to verify whether vendors have disclosed or patched vulnerabilities,” said Fry.
Patrick Garrity, researcher with VulnCheck, said that his organization is already taking measures to keep notifications available.
“Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” Garrity said.
Veteran industry reporter Brian Krebs noted that in this case, DOGE, and by extension the White House, may have shot themselves in the foot by failing to properly assess what it was they were cutting.
“The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses,” Krebs explained.
“There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information.”
A break in the CVE program would likely degrade national vulnerability databases and advisories, said Jason Soroko, a senior fellow at Sectigo.
"This lapse could negatively affect tool vendors, incident response operations and critical infrastructure broadly," Soroko said.
Editorial Director Tom Spring and Managing Editor Stephen Weigand contributed to this report.
