Yesterday, MITRE executives announced that the MITRE CVE database may go dark due to a funding gap starting from today, Wednesday, April 16, 2025.
This morning, the crisis has likely come to an end as CISA have announced that they will continue funding of the project. Yet, this scenario raises the question: is it possible that the CVE project is getting to an end?
What is the MITRE CVE project and why is it important?
The CVE program was created to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Since the day of the program’s initiation in 1999, the program has processed over 274,000 vulnerabilities.
Today it is one of the most common ways hackers, defenders and organizations categorize and reference disclosed cybersecurity vulnerabilities in almost any software, operating system and even hardware.
The maintainer of this project is MITRE, a non-profit organization that operates R&D centers, funded by the United States government and supports its efforts by research in the areas of cybersecurity, defense, aviation and more.
The main sponsor of this project is CISA (Cybersecurity and Infrastructure Security Agency), which has recently suffered drastic budget cutoffs. This affects their ability to renew or keep maintaining the current contract with MITRE which should end today (Wednesday 16, 2025).
In an interview with The Stack, CISA reported that they work on finding an urgent solution for this gap to mitigate the possible effect on the CVE program.
Another effect of this contract ending is the maintenance of the CWE project which categorizes and defines weaknesses in code, infrastructures and hardware before they actually become a vulnerability in product or environment.
What are the consequences of the CVE database going offline?
Every person who handles vulnerabilities uses the CVE program features in one way or another. It provides a source of truth to all practitioners, defining the risk, its possible impact, and its severity in an objective manner.
CVE also gives a standardized way to assess the security posture or an environment, including the amount, type of CVEs and the time that they should be handled are measured in many security standards and frameworks organizations and governments are obligated to. If CVEs are not going to exist anymore, many of these standards will be needed to change and adjust.
A possible scenario that could happen without having this independent entity of CVE program is: a vulnerability in software A described as “A possible remote code execution called X” by its maintainer. Then, another vendor that is using this software as a dependency in product B can describe this vulnerability as “A possible DoS (because of an RCE) called Y”. Today these two vulnerabilities will have the same CVE assigned for them, being checked and compared carefully, given a clear description of the problem and its solution. Without having this standardized reference, teams may approach patching those two vulnerabilities without knowing they are actually the same problem that require the same solution.
The main concern is that the CVE program will go dark and will not process new CVEs. By doing this, the security community will lose the common language when talking about risks, will lose the standard of what kind of risks there are and will lose the standardized prioritization for known risks.
It will make the life of all the people who patch vulnerabilities much harder, requiring the processing of more information from many sources (instead of one source of truth). As a result, it may take longer for organizations to discover if they are vulnerable, making it easier for attackers to exploit the vulnerability.
However, this is not the situation at the moment of writing this blog. It could happen in the future if funding were ever to end.
Another point that will make this program live a little longer – last year, the program announced easier standards to define CNAs (CVE Numbering Authority), permitting allocation of new CVEs by specific products, companies and organizations. So, there are still allocated CVEs for these entities that could be assigned and disclosed in the near future. We also became familiar with some CNAs reserving a significant amount of CVEs when realizing something can happen to the CVE program.
Are there any alternatives?
No, there is not a single, central place that is publicly available. The main alternative would be to follow the security feeds of the products that are being used in one’s environment. They will continue providing the vulnerability information, probably in other names.
How was Orca Security impacted?
Orca is not impacted by changes in MITRE or NVD, as we base our vulnerability database on many sources and security feeds rather than just MITRE or NIST. We follow many products’ security updates and bulletins and integrate the information into our vulnerability management system.
In the event a change occurs to the naming convention for vulnerabilities, Orca’s customers will not be impacted. The Orca Cloud Security Platform does not rely on CVE IDs to detect, prioritize, and facilitate the remediation of vulnerabilities. This ensures organizations can continue to maintain effective vulnerability management programs regardless of any changes to CVE programs or funding.
Stay tuned for future updates
At Orca Security, we are on a mission to help organizations thrive securely in the cloud. While the long-term future of the MITRE CVE program is uncertain, the Orca Cloud Security Platform remains resilient to any future changes and will continue to empower organizations with their vulnerability management programs. We are also closely monitoring the situation and will keep the Orca community informed of any changes as they occur.
If you’re interested in learning more about the Orca Cloud Security Platform, schedule a 1:1 personalized demo.
