On April 16, 2025, the U.S. government announced it would cease funding for the Common Vulnerabilities and Exposures (CVE) program, a crucial global initiative for tracking software vulnerabilities. For 25 years, this program has assigned unique identifiers to discovered vulnerabilities, allowing developers and security experts to collaborate effectively.

The CVE system is utilized by government agencies, corporations, researchers, and independent experts as the primary means of identifying and addressing vulnerabilities. This system helps eliminate confusion when multiple parties discover the same issue.

However, without government support, the program could face shutdown. This would result in no new CVEs being issued, possible website closure, and chaos in the cybersecurity landscape. The MITRE Corporation, which manages CVE, confirmed that funding would not be extended due to budget cuts enacted by the Trump administration.

"As of Wednesday, April 16, funding for MITRE to develop, support, and modernize the CVE program and related initiatives like Common Weakness Enumeration will cease," stated Yosri Barsoum, MITRE's Vice President.

The essence of CVE's operation is that when a vulnerability is found, program partners (numbering in the hundreds across more than 40 countries) analyze it and assign a CVE identifier. In 2024, over 40,000 new CVEs were published.

"CVE is the foundation of cybersecurity, and any disruptions in its support pose an unacceptable risk to critical infrastructure and national security," said Katie Moussouris, a cybersecurity expert and founder of Luta Security.

Currently, historical CVE records remain accessible on GitHub, but the future of the system is uncertain unless new funding sources or industry support are identified.

UPDATE:

According to Bleeping Computer, the U.S. government has decided to extend funding to avoid any continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.