sortiwa
Why it matters: Articles on this site that cover software vulnerabilities typically include CVE codes, which tech companies worldwide use to identify cybersecurity threats. Funding for the program that manages the CVE database nearly expired this week, potentially endangering global cybersecurity coordination efforts. Although the crisis was averted at the last minute, the cybersecurity community has begun taking steps to avoid a repeat.
The US Department of Homeland Security has extended funding for the Common Vulnerabilities and Exposures (CVE) program, which was set to expire on Wednesday. Experts warn that the program is critical for worldwide cybersecurity efforts.
CVE codes provide a standardized system that enables tech companies, researchers, and hackers to identify and address vulnerabilities. For example, security advisory pages from Apple, Microsoft, Mozilla, and other firms use the system to label issues. Although entities across the globe rely on CVE codes to ensure they are discussing the same vulnerabilities, it is dependent on a government-funded program operated by the MITRE Corporation.
BREAKING. From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
– Tib3rius (@tib3rius.bsky.social) April 15, 2025 at 1:23 PM
Yosry Barsoum, vice president and director of the Center for Securing the Homeland, sent a memo alerting CVE board members that funding was set to expire on April 16. Why the DHS nearly allowed CVE funding to lapse is unclear, but the incident occurred amid the Trump administration’s aggressive government cost-cutting campaign.
Experts quickly raised alarms, highlighting CVE’s importance. Jen Easterly, former director of the US Cybersecurity & Infrastructure Security Agency (CISA), called CVE the Dewey Decimal System of cybersecurity. She explained that its lapse would slow global cybersecurity coordination efforts because different organizations might waste time retracing each other’s steps. Such a situation might weaken responses to new threats and give attackers an advantage.
On Wednesday, a group of CVE board members established the CVE Foundation, a separate non-profit focused solely on maintaining the CVE database in case MITRE’s funding expired. The move follows over a year of planning, and the foundation is expected to release more information on its efforts in the coming days. European cybersecurity groups also recently established the European Union Vulnerability Database, which includes CVE codes and a new system of IDs carrying the EUVD label.
Although DHS funding has resumed, the extension lasts only 11 months, and the likelihood of a renewal in March 2026 is unclear. The funding also impacts the Common Weakness Enumeration (CWE) program.
Source link