Over the weekend, security experts were beginning to panic. MITRE announced that the US government had not renewed funding for the Common Vulnerabilities and Exposures (CVE) database. 

MITRE VP Yosry Barsoum warned that the government contract support enabling MITRE "to develop, operate, and modernize CVE" would expire on April 16. That would mean, Barsoum continued, "multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."

Also: Navigating AI-powered cyber threats: 4 expert security tips for businesses

All computer security depends upon CVE, which is the standard for tracking what is (and is not) a significant security hole. Fortunately, with no time left on the clock, MITRE, the non-profit that oversees the CVE database, announced it would get funding for another 11 months. 

The CVE program, which has cataloged more than 274,000 publicly disclosed security flaws since its inception in 1999, is relied upon by governments, private industry, and open-source communities -- in short,everyone-- to track and coordinate responses to software holes. For example, Microsoft, with its Patch Tuesday, and Linux kernel developers both use CVEs to track security problems.

Everyone relies on CVEs because, while far from perfect, they're the universally agreed-upon standard for tracking security problems. As Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency (CISA), explained on LinkedIn:

Think of the CVE system like the Dewey Decimal System for cybersecurity. It's the global catalog that helps everyone -- security teams, software vendors, researchers, governments -- organize and talk about vulnerabilities using the same reference system. Without it:

• Everyone is using a different catalog or no catalog at all;
• No one knows if they're talking about the same problem;
• Defenders waste precious time figuring out what's wrong;
• And worst of all, threat actors take advantage of the confusion.

Moreover, as Ariadne Conill, co-founder and distinguished engineer at the tech security company Edera, told me in an interview. "The CVE database is crucial to international security. Although third-party databases exist, the world has standardized on CVE identifiers to act as pointers to vulnerability data. Loss of CVE services will be catastrophic. Every vulnerability management strategy around the world today is heavily dependent on and structured around the CVE system and its identifiers."

Looking ahead, Conill continued, "vulnerability databases should embrace linked data to reference the same vulnerability in external databases rather than depending on CVE identifiers. Vulnerability data enrichment can be done using linked data technologies such as JSON-LD, which has already been leveraged by SPDX 3 and OpenVEX. As a result, the National Vulnerability Database will no longer be necessary, and developers won't be beholden to decisions like these." 

Until that happens, however, CVE will remain critical to all technology security. 

Also: The best free VPNs of 2025: Expert tested

How did CVE come so close to shutting down? It's about federal contracts and the current confusion over US government finances. MITRE has operated the CVE program for 25 years, under sponsorship from the US Department of Homeland Security (DHS) and the CISA. MITRE acts as the CVE Editor and Primary CVE Numbering Authority (CNA), overseeing the assignment of unique CVE identifiers that serve as a global reference standard for vulnerabilities. 

MITRE also manages related programs such as the Common Weakness Enumeration (CWE), which classifies software and hardware weaknesses. 

We don't know why the contract wasn't renewed until the last possible moment. We do know, however, that -- under DOGE -- CISA employees were given until midnight Monday to choose between staying on the job or resigning. Those who remained would face the possibility of being laid off as the agency faces cuts of up to one-third of its workforce.. 

Late on Tuesday, April 15, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. This option only lasts for 11 months and then must be renewed -- or we'll be back in the same boat. 

Also: Windows warning: Don't delete that weird 'inetpub' folder. Already did? Here's your fix

While the immediate risk of disruption has been averted, the episode highlighted longstanding concerns about the sustainability and neutrality of the CVE program, which is relied upon worldwide yet dependent on US government funding. This is also not the first time a lack of cash has threatened CVEs. Last summer, insufficient funds kept anyone from managing the eternal flood of new CVEs

CVE board members have launched the CVE Foundation, a nonprofit organization to maintain the program's future stability and independence. Kent Landfield, one of CVE's founders and a CVE Foundation officer, noted that "CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself. Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work, from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats."

The CVE Foundation's goal is to eliminate this single point of failure in the vulnerability management ecosystem and ensure the CVE Program remains a globally trusted, community-driven initiative.

Also: The head of US AI safety has stepped down. What now?

Each security alert in the CVE list contains a unique identifier called a CVE ID, a description of the vulnerability, and information references. The system allows organizations, security professionals, and vendors to communicate clearly and consistently about specific security flaws. This, in turn, helps facilitate tracking, assessment, and remediation efforts. Most CVEs are assigned a Common Vulnerability Scoring System (CVSS) score. This is a numerical rating, ranging from 0 to 10, where the higher the score, the more dangerous the security hole. CVSS scores are commonly used to decide how quickly a problem needs to be fixed.

Stay ahead of security news withTech Today, delivered to your inbox every morning.

Security

How AI agents help hackers steal your confidential data - and what to do about it

This new tool lets you see how much of your data is exposed online - and it's free

How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers

That weird CAPTCHA could be a malware trap - here's how to protect yourself

• How AI agents help hackers steal your confidential data - and what to do about it
• This new tool lets you see how much of your data is exposed online - and it's free
• How a researcher with no malware-coding skills tricked AI into creating Chrome infostealers
• That weird CAPTCHA could be a malware trap - here's how to protect yourself