The Common Vulnerabilities and Exposures (CVE) security program, which tracks vulnerabilities in hardware and software, has had its federal funding discontinued immediately. Among the tech companies that depend on the CVE program to detect security weaknesses in their products is Apple.
Update: In response, CVE board members have announced the establishment of a new non-profit entity called the CVE Foundation to continue the initiative – further details at the end …
Overview of the CVE Security Program
The CVE program offers a straightforward and effective mechanism for individuals or organizations to report discovered vulnerabilities in technology products.
Upon reporting, each issue is assigned a unique identifier that starts with CVE- followed by the year and a serial number. This enables others to see that the problem has been noted and allows them to conduct their investigations to assist the relevant tech company in assessing the issue’s severity.
In instances where multiple tech firms must take action, the CVE system aids in coordinating their responses. Numerous companies, including Apple, Google, and Microsoft, rely on this framework.
Although the program is managed by the U.S. Department of Homeland Security, its operations are subcontracted to a private entity, The MITRE Corporation.
Federal Funding Withdrawal by the US Government
On the previous day, The MITRE Corporation revealed that its federal funding had been cut, effective immediately.
On Wednesday, April 16, 2025, the existing contract for MITRE to develop, operate, and enhance the CVE program and related services, such as CWE, will expire […]
We anticipate that a service disruption could lead to several adverse consequences for CVE, including the deterioration of national vulnerability databases and advisories, and negatively impacting tool vendors, incident response efforts, and vital infrastructure.
Security researcher Lukasz Olejnik expressed that this change will lead to “total chaos” in the cybersecurity landscape.
By eliminating what are essentially minimal costs, the Trump administration will temporarily cripple the global cybersecurity framework—specifically CVE […]
The implication will be a failure in coordination among vendors, analysts, and defense systems—leading to uncertainty about referring to the same vulnerabilities. This will create significant disorder and a sudden decline in cybersecurity overall.
CWE Program Funding Cut
The funding reductions also impact the Common Weakness Enumeration (CWE) program, mentioned by MITRE. This initiative identifies common software and hardware vulnerabilities that may pose security risks.
It serves as a guiding resource, aiding tech companies in preventing the introduction of security flaws in their products by learning from past mistakes.
Take from DMN
Both the CVE and CWE programs are incredibly effective and notably cost-efficient. The decision to withdraw their funding is illogical.
Update: It appears that CVE board members anticipated this scenario. They have declared today the formation of a CVE Foundation to ensure the program continues its work.
This concern has escalated following an April 15, 2025 letter from MITRE informing the CVE Board that the U.S. government does not plan to renew its management contract for the program. Although we hoped to avoid this day, we have been preparing for this eventuality.
In light of this, a coalition of dedicated, long-standing members of the CVE Board has spent the past year creating a plan to transition CVE to a dedicated, non-profit foundation. This new CVE Foundation will focus solely on maintaining the mission of delivering high-quality vulnerability identification and ensuring the integrity and availability of CVE data for defenders around the globe.
The Foundation has indicated that it will share additional information regarding its plans in the near future. Securing adequate funding will be crucial, and it is likely that Apple will be among the tech giants providing support.
Photo by Rohan on Unsplash
