CVE Program Funding Cut—What It Means And What To Do Next
U.S. President Donald Trump has cut funding for the global database of security flaws, the Common Vulnerabilities and Exposures database from Apr. 16. The not-for-profit organization that runs the database, MITRE, confirmed its contract with the U.S. Department of Homeland Security to operate the CVE Program has not been renewed.
The funding cut for the 25 year old CVE program — which is globally relied upon to identify and mitigate security flaws — is part of a cost-cutting drive by the Trump administration.
The move to cut CVE funding is certainly a concern — especially given how suddenly it seems to have happened. Here is what happened, what it means for global security and what to do next.
MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire now, warning that it could be a disaster for security. The news came via a letter on social network BlueSky.
"On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,' Barsoum wrote in a letter published on Bluesky.
'If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."
It comes as the U.S. Department of Homeland Security's national security research subdivision, the Science and Technology Directorate, will stop current grants and refocus its mission priorities.
"CISA is the primary sponsor for the CVE program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation's critical infrastructure at risk,' a CISA spokesperson told me via email.
Although CISA's contract with the MITRE Corporation will lapse after Apr. 16, CISA said it is 'urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.'
Known by all in the security community inside the U.S. and out, the CVE system is a global reference method for publicly-known security flaws.
Launched in 1999, the CVE system is maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the US National Cyber Security Division of the US Department of Homeland Security.
CVE IDs are listed on MITRE's system as well as in the U.S. National Vulnerability Database.
The CVE database is 'critical for anyone doing vulnerability management or security research,' and for 'a whole lot of other uses,' security journalist Brian Krebbs wrote on Mastodon. 'There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information, btw.'
America's abrupt pullback from leadership roles 'in this case coordinating the near global issue of CVEs for vulnerabilities' will 'place a heavy burden on global cyber defenses,' says Ian Thornton-Trump, CISO at Inversion6.
It will impact global response capabilities to CVE exploitation such as 'HeartBleed' among vulnerability and attack surface management companies, says Thornton-Trump.
Thornton-Trump concedes the immediate impacts might be 'minimal' but says the move is now 'helpful to our adversaries.'
Cutting the CVE program funding is 'a huge blow to the cybersecurity community,' says William Wright, CEO of penetration testing firm, Closed Door Security. 'Many of today's ransomware attacks and data breaches are executed by adversaries exploiting vulnerabilities. Without a common destination to log vulnerabilities, so organizations can take steps to patch them, they could be more vulnerable to attack.'
However, the news might not be quite as bad as it seems. It's important to understand that MITRE does not operate the National Vulnerability Database, this is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. 'This is an important distinction since most vulnerability scanners use the NVD as the source of vulnerabilities to do their scanning.'
While MITRE does assign CVEs IDs, there are also CVE Naming Authority, that can also assign CVE IDs, says Wright. 'It is important to note that while MITRE is the source of CVE IDs, most security tooling leverages the National Vulnerability Database for their source of vulnerabilities. This is operated by NIST, and to the best of our knowledge at this time, the operation of this database will not be impacted.'
He says the recent news about MITRE's contract would likely only affect new vulnerabilities. 'Historical vulnerabilities should not be affected. It's important to call this distinction out, as there's already been some confusion."
The question remains if the contract for MITRE is not renewed, how or if the organization will continue the CVE program, asks Wright, 'Given that we now have a larger number of CVE numbering authorities now also issuing CVEs, it is possible that the impact of this recent news may not be as big as first thought. However with the limited information that we have, it's not possible to tell.'
MITRE said historical CVE records will be available on GitHub, but future CVEs still hang in the balance.
Hopefully another organization will step in to provide the funding, or countries will band together to offer support, says Closed Door Security's Wright. 'But until then, the world may have lost one of its greatest security resources.'
It is possible funding will move to one of the big players in global cybersecurity, or perhaps a consortium. 'The health of the CVE MITRE database is undoubtedly of global benefit," says Matt Saunders, DevOps lead at The Adaptavist Group. 'There's an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest — though there are also inevitable concerns around it falling into the hands of a single private entity.'
Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart. 'Organizations should lean more heavily on resources like CISA's Known Exploited Vulnerabilities list, the NVD (if it remains online), and coordinate closely with software vendors. However, there is no true replacement for CVE.'
For now, the best thing to do is hold tight and use the resources available to you. The CVE funding cut isn't the end of the world, but it's still a worrying move that potentially reduces security for everyone.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Hill
8 minutes ago
- The Hill
Amid bipartisan concern, NOAA nominee pledges to make Weather Service staffing a ‘top priority'
As lawmakers from both parties raised concerns about staffing at the National Weather Service (NWS), President Trump's pick to lead the National Oceanic and Atmospheric Administration (NOAA) promised Wednesday to make the matter a 'top priority.' Neil Jacobs, who led the agency in an acting capacity during the last Trump administration, said, 'If confirmed, I will ensure that staffing the Weather Service offices is a top priority. It's really important for the people to be there because they have relationships with the people in the local community.' The matter was particularly top-of-mind in the wake of last week's deadly floods in Texas that killed more than 100 people. Questions were particularly raised in light of across-the-board layoffs and buyouts conducted by the Trump administration in order to reduce the size of the government. After those layoffs, the administration has sought to shuffle staffers or hire more people as some Weather Service offices were deemed 'critically understaffed.' One employee who took a Trump administration buyout was the warning coordination meteorologist in the Austin/San Antonio office of the NWS, a job that includes making sure the public is aware of the forecasts. Jacobs heard concerns about Weather Service staffing from several lawmakers during his confirmation hearing. Sen. Jerry Moran (R-Kan.) said that an office in his state was 'short' meteorologists because there had been a hiring freeze. Sen. Cynthia Lummis (R-Wyo.) lamented that at the Weather Service 'a decision was made to close overnight service in Cheyenne and route evening coverage' through a town hundreds of miles away called Riverton. Several Democrats raised similar worries about staffing levels. 'NOAA has lost at least 1,875 employees, totaling a combined 27,000 years of experience and institutional knowledge, and now has over 3,000 vacant staff positions,' said Sen. Amy Klobuchar (D-Minn.). During the hearing, Jacobs also promised to try to improve community warning systems. 'I think there's an opportunity to modernize NOAA Weather Radio, and then potentially also look at some satellite capabilities,' he said. 'An all-the-above approach and modernizing the way to distribute these watches and warnings is something that is going to be a top priority of mine.' Meanwhile, several Democrats also raised issues with proposed research cuts at the agency — arguing that those cuts could make the agency less able to understand the weather. 'I support the president's budget,' Jacobs said when asked by Sen. Ed Markey (D-Mass.) about proposed cuts to weather and climate research in the administration's proposed budget. Markey said he believed the administration's proposed cuts would hamper the agency, saying 'a 27 percent cut is going to have an impact, because there's a definite ripple effect that occurs when that kind of funding is slashed.' Asked about climate change, Jacobs cited both human activity and 'natural signals.' 'Obviously there's a lot of natural signals that are mixed in there too and so in the absence of any natural signals that might dominate that, yes there's human influence,' he said. When Sen. Andy Kim (D-N.J.) followed up and asked if human influence was 'part of the concern' about climate change, Jacobs responded, 'Yes, there's influence.' Human activities that emit greenhouse gases are the main driver of climate change. Jacobs had been a central figure in the 2019 Sharpiegate controversy, in which Trump edited a map with a Sharpie to bolster his claims that Hurricane Dorian could hit Alabama. At the time, NOAA released a statement backing the president and rebuking a NWS tweet that contradicted him. Asked about the incident on Wednesday, Jacobs said, 'There's probably some things I would do differently.' Asked by Sen. Ben Ray Luján (D-N.M.) whether he would 'sign off on an inaccurate statement due to political pressure in the same event,' Jacobs said no.
Yahoo
9 minutes ago
- Yahoo
Nvidia Hits $4 Trillion--And It's Still Just Getting Started
Nvidia (NVDA, Financials) just crossed a milestone no company ever has before; on Wednesday, it became the first public firm in history to hit a $4 trillion market cap. Shares popped 2.5% to an all-time high of $164; the message from Wall Street is clearAI is here, and Nvidia is leading the charge. Warning! GuruFocus has detected 4 Warning Signs with NVDA. This time last year, Nvidia had just hit $1 trillion; now, in just over 12 months, it's quadrupled that figurefaster than either Apple (AAPL, Financials) or Microsoft (MSFT, Financials) ever managed. Once known for gaming GPUs; then for powering crypto mining rigs; Nvidia has reinvented itself againnow as the engine room of global AI infrastructure. The company now carries the biggest weight on the S&P 5007.3%; that's more than Apple; more than Microsoft. The stock is up 22% year-to-date; and after getting knocked down in Aprilthanks to Trump-era tariffs and Chinese AI jittersit's bounced back fast, gaining 74% from those lows. That rebound wasn't just hype; Q1 revenue jumped 69% to $44.1 billion, with earnings of 81 cents per share. And for Q2, Nvidia expects $45 billion in revenue, give or take 2%; it'll report those numbers on August 27. Despite the monster rally, the stock trades at a forward P/E of 32below its three-year average of 37; that suggests investors don't think it's overheated just yet. With that kind of trajectoryand dominancesome would argue this is Nvidia's world now; the rest of us are just living (and computing) in it. This article first appeared on GuruFocus. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
9 minutes ago
- Yahoo
Car import quotas, export credits on table for EU-US trade talks, sources say
By Christoph Steitz, Julia Payne and David Lawder FRANKFURT/BRUSSELS/WASHINGTON (Reuters) -Brussels is discussing with U.S. counterparts a range of measures aimed at protecting the European Union's auto industry from steep U.S. import duties, including tariff cuts, import quotas and credits against the value of EU automakers' U.S. exports, industry sources and trade officials say. The talks are part of efforts by the European Commission, the bloc's executive branch, to reach a trade agreement outline with the United States in the coming days, ahead of the August 1 deadline set by U.S. President Donald Trump for broad tariff increases. Trump said on Tuesday he would "probably" tell the EU within two days what rate it could expect for its exports to the U.S., adding that the 27-nation bloc had become much more cooperative. EU negotiators have sought relief from tariffs in key sectors such as autos and aerospace. One EU diplomat previously said cars were a "red line" for the bloc, making a U.S. concession on cars a caveat of any deal. Since April, EU carmakers have incurred a 25% U.S. import tariff on top of the 2.5% already in place. The levy is separate from Trump's prior threatened 20% "reciprocal" tariff announced in April but dialed back to 10%. Discussions are ongoing and it is unclear if the U.S. administration will agree to all terms from its biggest bilateral trading partner, the sources said. The White House, the U.S. Trade Representative's Office and the Commerce Department did not immediately respond to requests for comment on the U.S.-EU negotiations. The European Commission also had no immediate comment for this story. EU trade chief Maros Sefcovic said on Wednesday the Commission has made good progress on a framework trade agreement with the United States and a deal may be possible in the coming days. The sources - two European industry sources, three European officials and three U.S. industry sources familiar with the talks - declined to be identified because the talks are confidential. EXPORT CREDITS A U.S. source and one European official said things are moving "fast" in the negotiations. On the table is a proposal that would provide some relief from import tariffs for carmakers that produce vehicles in the United States and export them to other countries, three of the sources said. Under that plan, carmakers that export vehicles from the U.S. would get credits for that export value, which could then be applied against the value of any imports from the EU into the U.S., the U.S. source said. That would allow companies to import that value of vehicle duty-free or at a reduced rate, while anything above it would be subject to the maximum tariff. Such a mechanism would benefit carmakers BMW and Mercedes-Benz, which both have major production hubs in the United States for sport-utility vehicles, with a significant share of their output exported. Two sources said the U.S. had offered some relief if a company agrees to make additional investment, a mechanism that would help Volkswagen, which barely exports out of U.S. plants but is weighing a local factory for its Audi brand. The terms are a delicate balancing act for Brussels as it tries to find concessions that are acceptable to carmakers such as BMW, Porsche, Volkswagen and Mercedes-Benz, as well as to the Trump administration, which wants to boost U.S. manufacturing and create jobs. TARIFF RATES, QUOTAS DISCUSSED Europe shipped nearly 758,000 cars worth 38.9 billion euros ($45.57 billion) to the U.S. in 2024, more than four times as many as in the other direction, according to data from European auto association ACEA. Two of the sources said the framework may be similar to the one agreed with Britain in May. In that deal, the U.S. cut tariffs on British-made cars to 10% and British carmakers received a import quota of 100,000 cars a year at the lower tariff rate, almost the total Britain exported last year. While the EU had proposed a similar tariff-rate quota with a certain number of vehicles imported, two U.S. industry sources said the Trump administration was leaning against this. Three sources said both sides have discussed cutting their respective auto import tariffs from current levels - 27.5% for imports into the U.S., and 10% for imports into the EU. Non-tariff elements such as standardising regulation, for example in the area of auto safety tests, are also being offered by the EU, one of the people said. ($1 = 0.8536 euros) Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
