On April 15, 2025, a letter from MITRE Vice President Yosry Barsoum was circulated on social media. It stated that MITRE’s contract to operate and modernize the Common Vulnerabilities and Exposures (CVE) program would expire on April 16, potentially leading to an immediate expiration in services.
This disclosure prompted widespread concern within the cybersecurity community about potential disruptions to vulnerability tracking and coordination.
The CVE program is a foundational component of the global cybersecurity infrastructure and has supported it since 1999 as the central system for identifying and cataloging publicly disclosed software vulnerabilities. Any disruption could hinder incident response, vulnerability coordination, and even national security operations.
Some of the concerns included:
- Delayed or missed vulnerability disclosures – new CVE identifiers might not be issued, stalling critical software patching efforts.
- A ripple effect across government agencies, vendors, and researchers – the CVE system helps synchronize information sharing; without it, collaboration could fragment.
- Challenges for defenders relying on CVE identifiers to patch and mitigate risks – security teams depend on timely, standardized vulnerability data for risk management, compliance, and incident response.
CISA to the rescue
In response to these concerns, CISA executed an option period on the contract with MITRE, ensuring no lapses in critical CVE services. The 11 month extension provides temporary continuity while discussions about the program’s long-term sustainability continue.
A group of CVE Board members announced the launch of the CVE Foundation, a nonprofit organization aimed at securing the program’s independence and sustainability. The foundation seeks to eliminate reliance on a single government sponsor and ensure the CVE program remains a globally trusted, community-driven initiative.
So, what next?
This event was a wakeup call, exposing deeper structural liabilities in how critical cybersecurity infrastructure is funded, governed, and sustained. It underscored the fragility of a system that plays a central role in global vulnerability disclosure yet relies on a single government contract and a single operating entity. In today’s threat landscape, this is an unsustainable risk.
Several key implications and paths forward should be discussed and considered:
- Need for a more resilient governance model – the establishment of the CVE Foundation marks a potential turning point. By diversifying oversight and sponsorship, the foundation could help insulate the program from political and funding volatility.
- Shift toward community-driven sustainability – a more inclusive, globally engaged model — involving vendors, researchers, open-source communities, and international partners — is essential for long-term viability and trust.
- Strengthening transparency and accountability – the lack of early public awareness about the contract situation was a critical failure. Open communication and shared responsibility will be key to preventing similar crises.
- Modernizing infrastructure and processes – as threats evolve, so must the CVE system. Investments in automation, scalability, and improved data sharing will be necessary to keep pace with the volume and complexity of disclosures.
- Encouraging private sector collaboration – a more resilient disclosure system may depend on multi-stakeholder funding and participation — creating shared incentives for maintaining a robust, reliable vulnerability ecosystem.
In short, if vulnerability disclosure is the backbone of modern cybersecurity, then resilience must be the backbone of that backbone. The events of April 2025 show that the community cannot afford to treat foundational systems like CVE as afterthoughts — they are strategic assets that demand foresight, shared direction, and investment.
You Can Rely On The Checkmarx Platform
In the event of a CVE Services disruption, the issuance of new CVE IDs would be temporarily paused, potentially delaying the publication of newly disclosed vulnerabilities.
In the event of such a disruption, our goal is to ensure that the Checkmarx user experience remains seamless.
We actively support and aggregate vulnerability data from different vulnerability advisories and threat intelligence sources to guarantee the continuous delivery of new vulnerabilities. We also do our own research to identify vulnerabilities that are not cataloged in open-source databases, ensuring we deliver the most comprehensive coverage.
Checkmarx is a CVE Numbering Authority (CNA) and plans to continue our commitment to this relationship with MITRE. Our scope is open-source vulnerabilities discovered by, or reported to, Checkmarx, that are not in another CNA’s scope. You can report them via our Checkmarx Zero disclosure portal.
The Checkmarx Security Research Team also assures the quality of the vulnerability’s information, as each entry continues to undergo a thorough analysis by a dedicated security analyst.
As for Common Weakness Enumeration (CWE) data, our Research Team has an internal system that accounts for weakness descriptions that cover the broader aspects of an associated CWE entry.
The past few weeks may have demonstrated the fragility of the CVE program, but Checkmarx customers can be reassured by our dedication to providing you with the latest vulnerability intelligence and practical advice to protect your organization.