The Future of CVE Is at Risk—What the End of MITRE’s Role Could Mean for Cybersecurity

Apr 16, 2025

Ben Hirschberg
CTO & Co-founder

With DHS ending MITRE’s CVE funding, the future of global vulnerability tracking is uncertain. Here’s what it means for security teams and what comes next.

UPDATE: The immediate crisis was averted thanks to the establishment of the CVE Foundation. We hope that this will resolve the budgeting crisis and give a long term solution to the CVE program.

On April 15, 2025, Krebs on Security broke the news that the U.S. Department of Homeland Security (DHS) has allowed its funding agreement with MITRE Corporation to lapse – effectively pulling the plug on the longstanding financial backbone of the Common Vulnerabilities and Exposures (CVE) program. As reported by Brian Krebs, this unexpected move leaves the future of one of the cybersecurity community’s most foundational resources hanging in the balance. The CVE program—central to the identification and tracking of software vulnerabilities worldwide—faces operational uncertainty at a time when there is a general sense of volatility in the markets.

MITRE’s Role in the CVE Ecosystem

The Common Vulnerabilities and Exposures (CVE) system has served as the main authority and arbiter of global vulnerability identification and coordination. At the heart of this ecosystem is the MITRE Corporation, a nonprofit organization that has acted as the CVE Numbering Authority (CNA) of last resort, its editorial board and as the coordination hub of the program.

Here’s how the vulnerability disclosure pipeline typically works—and where MITRE fits in:

Who reports vulnerabilities?

Vulnerabilities are reported by a wide range of actors: independent security researchers, vendor security teams, bug bounty hunters, and coordinated vulnerability disclosure programs. Some researchers report directly to the affected vendors; others use third-party CNAs or MITRE itself when coordination is difficult.

To whom are vulnerabilities reported?

Vulnerabilities are ideally reported to the relevant vendor or project maintainer. From there, if the organization is a CVE Numbering Authority (CNA), it can assign its own CVE ID. If it is not, the report may escalate to MITRE, which ensures that every legitimate issue receives a globally unique CVE identifier.

How are vulnerabilities scored?

Vulnerabilities are assessed and scored using the Common Vulnerability Scoring System (CVSS)—a standard metric that evaluates severity based on factors like exploitability, impact, and scope. While CVSS scoring is often handled by the CNA or vendor, MITRE provides guidance and ensures consistency across the board.

Who publishes the vulnerabilities?

Once a CVE ID is assigned, the vulnerability entry is published in the CVE database, and corresponding details are mirrored across other databases like the NVD (National Vulnerability Database). MITRE maintains the official CVE List and ensures all metadata (descriptions, references, affected versions) is curated and verified.

Who manages the process?

MITRE not only coordinates with over 300 CNAs globally, but also sets the rules for how CVEs are assigned, ensures quality control, manages disputes, and acts as the final arbiter for entries that fall outside normal channels. Without MITRE, the CVE system risks fragmentation, delays, and reduced trust.

MITRE’s ownership has made the CVE system a trusted, vendor-neutral infrastructure.

A Period of Uncertainty for Security Teams

While we’ve seen abrupt policy decisions reversed in recent weeks, if MITRE indeed ceases to operate the CVE program, the impact on security teams worldwide will be significant – immediate in some areas and structural in others.

Breakdown in Vulnerability Coordination

MITRE has long served as the fallback for coordinating disputed, complex, or orphaned CVEs—especially where no vendor or CNA takes responsibility. Without a neutral party to mediate and validate, coordination on such CVEs will degrade, leading to inconsistencies, duplication, or gaps in vulnerability records.

Delays in CVSS v4 Rollout

MITRE has been instrumental in driving the adoption and standardization of CVSS version 4.0. In its absence, we can expect slower adoption, uneven implementation across vendors, and a delay in ecosystem-wide improvements to vulnerability scoring – at a time when nuanced risk assessment is more critical than ever.

Loss of Vendor-Neutral Governance

The CVE system’s power lies in its neutrality. Without MITRE’s stewardship, the coordination of global vulnerability data may shift to vendor-dominated or region-specific bodies, each with their own priorities. This fragmentation threatens the very notion of a common language for vulnerabilities, hindering global collaboration and interoperability.

Divergence of Standards and Data Sources

In the absence of a single authoritative source, security teams will be forced to choose among competing databases, tools, or standards—each with their own view of the vulnerability landscape. We may be entering a phase similar to the CycloneDX vs. SPDX divergence in SBOM standards, where the lack of convergence increases complexity and dilutes collective security efforts.

Uncertainty Until New Leadership Emerges

Alternative coordinators will eventually rise—perhaps from international consortia, commercial vendors, or community efforts—but it will take time. During that transition, the industry will be left with uncertainty: Which data can be trusted? Which source is authoritative? What does interoperability look like in this new landscape?

For security teams, this means more manual validation, slower response times, and the risk of missed threats—not because the vulnerabilities don’t exist, but because the system that tracks them is in flux.

What the Industry Can Do Next

This moment should serve as a wake-up call, not just about the future of the CVE program, but about the fragility of the entire vulnerability disclosure ecosystem. The potential loss of MITRE’s leadership cannot be met with silence – it demands coordinated action.

Time for a Unified Industry Response

Major stakeholders in cybersecurity (vendors, open-source foundations, cloud providers, and public institutions) must come together to propose a sustainable alternative. A Linux Foundation-style umbrella organization could provide the neutral governance, funding, and transparency the CVE program needs. This isn’t just about keeping the lights on—it’s about future-proofing the ecosystem.

Fixing CVE, Not Abandoning It

It’s no secret that the current CVE system has its flaws. End users often lack actionable insights into how or where they are affected, and security teams waste significant effort chasing non-exploitable issues. But freezing or fracturing the information flow is not the answer. What we need is not less CVE—but a stronger, more intelligent CVE: one that is context-aware, enriched with runtime exploitability signals, and better aligned with operational realities.

Posture Alone Isn’t Enough—Runtime Security is Key

In this climate of uncertainty, it’s critical to remember that static posture assessments only go so far. The real defense has always been runtime context: understanding which vulnerabilities are actually being targeted, by whom, and how. That’s why ARMO’s Cloud Application Detection and Response (CADR) platform leads the industry – delivering the visibility and prioritization security teams need, even when the upstream ecosystem is in flux.

The road ahead may be uncertain, but it’s also an opportunity: to rebuild trust, modernize the vulnerability management model, and empower defenders with better tools and better data.