Do Son 
By the end of this week, one of the most pivotal initiatives in the field of cybersecurity—the Common Vulnerabilities and Exposures (CVE) program—may come to an abrupt halt. For over two decades, CVE has served as a cornerstone of vulnerability cataloging. According to MITRE Corporation, the U.S. federal government has decided not to renew the contract under which MITRE managed the program.
MITRE has stated that funding for the development, maintenance, and modernization of the CVE program—as well as related efforts such as the Common Weakness Enumeration (CWE)—will cease on April 16. This will not only bring updates to a standstill but may also result in the shutdown of the official website. While historical data will remain available on GitHub, no new entries will be added.
Since its inception in 1999, CVE has become a foundational pillar of global cybersecurity infrastructure. Its database is utilized by cybersecurity vendors, government agencies, and critical infrastructure operators to identify and analyze threats. Throughout its existence, MITRE has overseen the project, funded by the National Cybersecurity Division (NCSD) within the Cybersecurity and Infrastructure Security Agency (CISA).
MITRE representatives emphasized that, despite the contract’s termination, the organization remains committed to the continuation of the program and is engaged in ongoing discussions with the U.S. Department of Homeland Security to explore preservation options. Meanwhile, CISA has confirmed the contract’s expiration and stated that urgent measures are being undertaken to mitigate the impact.
The reasons behind the decision not to renew the agreement remain unclear, as CISA officials have declined to comment or indicate whether the initiative will be transferred to another contractor. In a letter addressed to members of the program’s advisory board, MITRE’s Director of National Security Center, Yosry Barsoum, warned of potentially serious repercussions—including the degradation of national vulnerability databases and diminished effectiveness in threat detection and incident response tools.
The development has alarmed experts across the cybersecurity industry. There is growing concern that the abrupt suspension of CVE could quickly escalate into a national security issue. The program underpins numerous vulnerability management processes and the protection of critical infrastructure systems.
In response, cybersecurity firm VulnCheck, a CVE numbering authority, has preemptively reserved 1,000 CVE IDs for 2025 to help mitigate the disruption. A representative from Securonix highlighted that the CWE project is essential for categorizing and prioritizing software vulnerabilities, and its discontinuation could undermine secure coding practices and risk assessment frameworks.
Amid these developments, reports have surfaced that CISA is simultaneously concluding several other contracts, including those supporting key institutions such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Election Infrastructure ISAC—entities that provide cybersecurity support to thousands of organizations nationwide. These decisions point to broader, unexplained shifts in the United States’ cyber policy priorities.
MITRE is widely regarded as one of the most respected institutions in the cybersecurity domain, maintaining a broad portfolio of programs that serve the interests of defense, healthcare, aviation, and beyond. The potential loss of its stewardship over CVE represents not merely a bureaucratic reallocation but a profound threat to the integrity of the global vulnerability tracking ecosystem.
