In April, the MITRE Corporation’s Common Vulnerabilities and Exposures (CVEs) database was handed a last minute reprieve amid concerns over funding from the U.S. government.
It had been a long and stressful day, with the security industry wondering whether MITRE’s database would be able to operate. This could have left many firms without a way to track security flaws and ensure patches are prioritized and applied to systems in a timely manner.
The issue was so worrying that one group of experts quickly announced a new alternative to MITRE’s database, the CVE Foundation. The coalition of longtime, active CVE Board members said it had spent the past year developing a strategy to transition to a dedicated, non-profit foundation.
But before the day ended, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a statement saying it had, in fact, secured funding for MITRE for the following 11 months.
Now, the agency denies that funding was ever a problem. In its latest statement, CISA said the MITRE database expiration was due to an issue with “contract administration” rather than funding. CISA confirmed there was no interruption to the CVE program and said it remains committed to improving the database.
While many firms across the world are relieved, the uncertainty has highlighted the issues with relying on a single source for referencing security flaws. So, what lessons can be learned from the near-miss and how can firms safeguard themselves for the future?
CVE tracking issues
The CVE program is maintained by MITRE and widely adopted in all areas of cybersecurity, including tooling, research and testing, and is used by security operations centers and defensive teams. It is relied upon for sharing information on new security vulnerabilities, ensuring there is one source of truth for referencing a vulnerability.
Managing vulnerabilities is complex, not least because of the volume being discovered. In 2024, roughly 40,000 CVEs were assigned, and it’s likely that over 50,000 will be recorded in 2025.
“For vulnerability data to be quick, comparable and actionable, the industry needs a standardized process,” says Richard Werner, cyber security platform lead, Europe at Trend Micro. “Without it, we could face significant delays in the communication and dissemination of vulnerable information. Security tools such as vulnerability scanners may become less reliable, and organizations could face growing gaps in the defence of their IT systems.”
CISA’s funding for the CVE program lasts just 11 months, after which it will once again be up for renewal. In the scenario that the CVE database is then lost due to lack of funding, the security industry will be “slower at retaliating when attacked and worse at proactively holding the threats at bay,” says Simon Jonker, director of security analytics at CSIS Security Group.
The risks of relying on one source
CISA’s last minute reprieve was welcome but the incident has also shown that relying on one database for vulnerability enrichment data is “risky,” says Sylvain Cortes, VP strategy, Hackuity. “The moment that one database becomes unreliable or unavailable, security teams are essentially just left with a list of unhelpful, raw CVE IDs that lack the crucial details to make them useful to defenders.”
This is a serious issue for those in charge of vulnerability management and leaves the business open to elevated cyber risk, Cortes says.
It is a problem that funding for such a “critical and globally used standard” is “largely tied to one source,” agrees Andy Swift, cybersecurity assurance technical director at Six Degrees. “In many ways, a single source of major funding is perhaps its biggest vulnerability in itself.”
This is a core reason for the establishment of the new CVE Foundation, with a stated goal to “support the transition of the CVE Program from a single funding stream to a diversified funding model”, which “needs to exist outside of sole governmental control.”
“Right now, this is exactly what is needed to remove any fragility in the current setup’” Swift says.
While this may be a good idea in theory, nothing can currently take the place of the CVE database. Other options such as VulnDB and OSV are useful, yet they are not as comprehensive as the CVE database, says Thomas Richards, infrastructure security practice director at Black Duck.
“Some are commercial and require a license, while others focus just on open source software,” Swift points out. “What makes the CVE program and MITRE unique is, it tracks all software and is open for others to use. It will be interesting to see how they build a more decentralized model.”
Safeguarding your business amid global uncertainty
Global uncertainty is a matter of fact, so it’s a good idea to safeguard your business for any future changes to the MITRE CVE program. With this in mind, make sure the providers you use for vulnerability management have redundancy in where they collect the information about new exploits – not relying solely on the CVE database, says Jonker.
Cortes suggests investing in “a high-quality, enriched CVE feed from a trusted provider, to ensure they have constant access to enriched analysis of vulnerabilities.”
When working with and mitigating exploits, make sure to gauge the observed active exploitation, says Jonker. “If they are widely-exploited by the time of mitigation – make sure to look for indicators of compromise in the infrastructure before patching. Otherwise, you might end up closing the door, with the attacker already inside.”
Businesses must implement ongoing processes to find and assess vulnerabilities, says Werner. “This is not a one-time effort; it requires continuous monitoring and adaptation. While many organizations rely on severity scores such as CVSS, they should also evaluate the real-world impact of vulnerabilities.”
Tracking active exploitation is “critical, says Werner. “And because patching every vulnerability is rarely feasible, organizations, especially those operating in high-risk environments, should consider complementary technologies such as intrusion prevention systems to reduce exposure.”
Overarching this, experts advise to keep talking to your vendors and look out for any changes that could impact you. Vulnerability management software tends to use other sources besides CVE to supplement the data, but the loss of CVE would be “like the foundation of a house disappearing,” says Richards. “Firms should be asking their vendors how they are reacting to the uncertainty and also keep an eye on any changes MITRE makes to make sure the CVE program continues.”
