![US to end funding for CVE program, a global database that plays a key role in cybersecurity [UPDATED]](https://img.mezha.media/mezhaprod/images/doc/c/d/261130/cd2818750cacacc5449df23abc2468d3.jpeg?w=900&q=90&f=webp)
On April 16, 2025, the US government will end funding for the Common Vulnerabilities and Exposures (CVE) program, a key global system for registering vulnerabilities in software. The program, which has been in operation for 25 years, assigns unique numbers to discovered vulnerabilities so that developers and security experts can work together to address them, The Register reports.
CVE is used by government agencies, corporations, researchers, and independent experts as a primary mechanism for identifying and fixing vulnerabilities. The system helps avoid confusion and coordinate actions when different people discover the same bug.
But without government support, the program could grind to a halt. That would mean no new CVEs, a possible shutdown of the program’s website, and chaos in the cybersecurity world. MITRE, which manages CVE under contract to the U.S. Department of Homeland Security, confirmed that funding would not be renewed. The decision comes amid budget cuts by the Trump administration.
"On Wednesday, April 16, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire," said Yosry Barsoum, MITRE vice president.
The essence of CVE is that when someone discovers a vulnerability, the program's partners (and there are hundreds of them in over 40 countries) analyze it and assign it a CVE identifier. In 2024, over 40,000 new CVEs were published.
"CVE is a cornerstone of cybersecurity, and any gaps in CVE support will put our critical infrastructure and national security at unacceptable risk," said Katie Moussouris, cybersecurity expert and founder of Luta Security.
For now, historical CVE records remain available on GitHub, but the future of the system remains at risk unless a new source of funding or industry support is found.
UPDATED:
As reported by Bleeping Computer, the US government has nevertheless decided to continue funding to avoid any problems with the continuity of the critically important Common Vulnerabilities and Exposures (CVE) program.