CVE Program Funding Disruption: What It Means for Cybersecurity and Veracode Customers

user-avatar

By Sohail Iqbal

On April 16, 2025, the cybersecurity community faced a potential crisis as U.S. government funding for the Common Vulnerabilities and Exposures (CVE) program, managed by MITRE and sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), was set to expire. 

The CVE program, a critical global standard for identifying and cataloging software vulnerabilities, risked disruption after 25 years of operation, prompting widespread concern about impacts on vulnerability management, national security, and critical infrastructure.  

Late on April 15, CISA confirmed an 11-month contract extension with MITRE, ensuring continuity of CVE services and averting immediate chaos. However, the incident highlighted the program’s reliance on a single funding source, leading to the formation of the CVE Foundation—a new non-profit aimed at securing the program’s long-term independence.  

What happened to the CVE Program and why? 

As of April 16, 2025, the federal contract between MITRE and the U.S. government to operate the CVE program was set to expire without renewal. The potential lapse could be attributed to recent cost cutting measures in the US Government and unstable funding vehicles associated with the program. At the last moment, the United States Cybersecurity and Infrastructure Security Agency said it had extended its contract with MITRE. While the potential end of the CVE program funding was staved off for now, it is not readily apparent what the future looks like for the CVE program.  

What impact does this have on Veracode products and customers?  

Veracode curates our own vulnerability database, using the NVD as one data source alongside other inputs like the KEV database, EPSS, and our own first-party mechanisms for identifying flaws, issues and attacks in the larger ecosystem.   

What would it mean in the short and long term, if the program were to be discontinued? 

Short-term: 

  • Potential disruption in the assignment of new CVE identifiers, affecting the timely disclosure of vulnerabilities.​  
  • Increased confusion among vendors, researchers, and security teams due to the absence of a centralized vulnerability tracking system.​ 
  • Multiple competing CVE databases could cause confusion and create blind spots for security teams.  

Long-term: 

  • Erosion of trust in vulnerability management processes, potentially leading to fragmented or inconsistent vulnerability reporting. 
  • Future interruptions could result in deteriorating quality of CVE databases 
  • Challenges in coordinating global cybersecurity efforts, as the CVE system has been integral to international collaboration.​ Could result in loss of trust in the US remaining a cyber security leader on the global stage.​ 

What should businesses be doing in response? 

  • Monitor Alternative Sources: Stay informed through other vulnerability databases, advisory groups, and vendor-specific security bulletins.​ 
  • Implement Application Security Risk Management Principles: ASRM is about measuring, prioritizing, and managing risks tied to applications — even in the absence of a centralized CVE feed. Go beyond CVSS — consider exploitability, asset exposure, data sensitivity, and business impact to triage in line with your business objectives. 
  • Enhance Internal Processes: Develop internal mechanisms for tracking and assessing vulnerabilities, ensuring timely patch management and risk assessment.​ 
  • Engage with Industry Groups: Participate in information-sharing communities to stay updated on emerging threats and coordinate responses.​ 

What resources can organizations use? 

  • National Vulnerability Database (NVD): Provides detailed information on publicly disclosed cybersecurity vulnerabilities.​  
  • Vendor Security Advisories: Regularly consult advisories from software and hardware vendors for updates on vulnerabilities and patches.​ Ensure that security teams are well positioned to receive and action vulnerability advisories.  
  • Cybersecurity Information Sharing Programs: Engage with programs like the Information Sharing and Analysis Centers (ISACs) for sector-specific threat intelligence.​ 

How might organizations fare without access to MITRE’s CVE database? 

Organizations that utilize vendors who don’t curate their own vulnerability databases (as Veracode does) may struggle with inconsistent vulnerability information, especially in the intermediary period before a commonly accepted alternative is in place, leading to potential gaps in security coverage.  

Fortunately, the contract was extended. However, this incident reveals it’s more important than ever before to ensure that you are using security analysis tools that don’t solely rely on public sources to surface vulnerabilities – not only is it imperative that you use solutions that curate their own vulnerability databases, but also that they have their own, first-party mechanisms for identifying flaws, issues, and attacks in the larger ecosystem. Get in touch to learn more about how you can avoid disruptions and stay secure without relying on public databases. 

Apr 16, 2025

Securing the AI-Driven Development Environment

Learn More
user-avatar

Natalie Tischler

Apr 10, 2025

AI and AppSec: A Partnership to Prevent Breaches 

Learn More
user-avatar

Natalie Tischler

Apr 9, 2025

Resurgent North Korean Malware Campaign in npm

Read More
user-avatar

Veracode Threat Research

user-avatar

By Sohail Iqbal

Sohail Iqbal is a prominent figure in the cybersecurity realm, known for his exceptional leadership and hands-on expertise. He has successfully directed security practices and developed effective programs in roles such as Global Head of Cybersecurity Operations at Dow Jones / WSJ, CISO at J2 Global, and Head of Information Security at CarGurus. Sohail has also served as Director for MediaISSF and on the Cybersecurity Advisory Council for Rutgers University, NJ. He’s passionate about contributing to the cybersecurity community by sharing thought leadership and speaking at conferences.