MITRE’s CVE Contract Expires – Internal Memo Leaked!

A leaked letter dated April 15, 2025, has revealed that MITRE’s contract to support the Common Vulnerabilities and Exposures (CVE) program is set to expire today, April 16, 2025. The letter, confirmed by cybersecurity reporter David DiMolfetta, raises concerns about the future stability of one of cybersecurity’s most foundational resources.

MITRE’s Role in CVE at Risk

The internal letter, signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH), was addressed to CVE Board Members. It outlines the uncertainty surrounding MITRE’s continued stewardship of the CVE program and related initiatives such as the Common Weakness Enumeration (CWE).

MITRE, a non-profit organization operating multiple federally funded research and development centers (FFRDCs) including the National Cybersecurity FFRDC has managed the CVE program under U.S. Department of Homeland Security (DHS) funding for years.

CVE Foundation Steps In

In response to the looming contract expiration, the CVE Foundation has been formally launched to ensure the long-term continuity, independence, and stability of the program. While details on the foundation’s structure are still emerging, the move is a clear signal that efforts are underway to avoid a disruption.

Why CVE Matters

For decades, the CVE program has served as the global standard for identifying and cataloging publicly disclosed cybersecurity vulnerabilities. With over 274,000 entries in its database, it enables organizations worldwide to:

• Prioritize and mitigate security risks
• Maintain vulnerability advisories
• Build detection and response tools
• Support national cybersecurity efforts

The program underpins a cybersecurity vendor ecosystem estimated at over $37 billion, feeding data into products related to vulnerability management, threat intelligence, SIEMs, and EDR platforms.

The Risk of Disruption

According to Barsoum, if MITRE’s contract lapses without a clear handover or extension, the effects could ripple across the industry. He warns of:

• Deterioration of national vulnerability databases
• Breakdowns in incident response operations
• Disruptions to critical infrastructure support
• Vendor tool issues reliant on CVE data

BREAKING.

From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members. pic.twitter.com/CHi74EIRt7

— Tib3rius (@0xTib3rius) April 15, 2025

Recent Challenges and Evolution

The CVE program has already been undergoing significant transitions:

• New website: Moved to CVE.ORG
• Modernized record formats: Transitioned to JSON; legacy format support ended on June 30, 2024
• Broader scope: Began assigning CVEs to service-based vulnerabilities, beyond traditional software products

These changes reflect the evolving threat landscape, but also underscore the program’s reliance on steady funding and consistent operational leadership.