MITRE is sounding the alarm. The nonprofit says delays in U.S. government funding could seriously disrupt the Common Vulnerabilities and Exposures (CVE) program — a core part of the cybersecurity ecosystem.
In a message to the CVE board, MITRE’s Yosry Barsoum said the group’s contract with the U.S. government is set to expire on April 16, 2025. As of now, there’s no confirmation of renewal. Without new funding, he warned the program may halt operations.
Barsoum explained that this funding gap could affect several initiatives. These include the CVE system, the Common Weakness Enumeration (CWE), and other national cyber resources. If the service breaks down, the impact could be severe — slower vendor response, weaker incident coordination, and a breakdown in key infrastructure protections.
The CVE program helps identify and share known software flaws. It’s used worldwide by security experts, researchers, and governments. MITRE has managed it for years, backed by U.S. contracts, industry support, and international partners.
But the system may now be in jeopardy. MITRE recently laid off over 400 staff from its Virginia office. The move followed the loss of $28 million in federal contracts, cut by the Trump administration.
Meanwhile, another cybersecurity pillar is also under pressure. The National Institute of Standards and Technology (NIST) is struggling to keep up with the growing number of reported vulnerabilities. Although the National Vulnerability Database (NVD) is still processing CVEs at its usual pace, a surge in submissions has created a growing backlog.
Submissions rose 32% in 2024, and NIST expects them to increase even more in 2025. To cope, the agency is exploring AI and automation to speed up its review process. But the current delays are already causing trouble.
Security teams depend on NVD data to assess risks and apply fixes. When delays grow, the time between detection and action also widens. This makes it harder for organizations to protect their systems.
NIST said its systems were designed for a lower volume of submissions. Its workflows and enrichment processes still rely heavily on manual input, which adds bottlenecks.
Without urgent fixes and reliable funding, the cybersecurity community may lose access to one of its most trusted sources. If the CVE program stalls, so will the ability of vendors and governments to respond to new threats.
