MITRE’s Support for CVE Program Set to Expire! – Internal Letter Leaked Online

A letter from MITRE, dated April 15, 2025, has leaked online claimed to be revealed from a reliable source that the organization’s contract to support the Common Vulnerabilities and Exposures (CVE) program is due to expire today, April 16, 2025, potentially threatening the stability of a critical cybersecurity resource.

The letter, addressed to CVE Board Members and signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH), highlights the uncertainty surrounding MITRE’s continued role in maintaining the CVE program and its related initiatives.

MITRE is a not-for-profit organization that operates federally funded research and development centers (FFRDCs), including the National Cybersecurity FFRDC, which supports the CVE program.

Headquartered in McLean, Virginia, MITRE has been a key player in advancing cybersecurity solutions for government and industry partners.

The Common Vulnerabilities and Exposures (CVE) program provides a standardized method for identifying and cataloging cybersecurity vulnerabilities.

It is widely used by organizations to prioritize and address security risks, making it a foundational element of global cybersecurity efforts.

The CVE program, managed by MITRE with funding from the U.S. Department of Homeland Security, has been a cornerstone of global cybersecurity efforts for decades.

It provides a standardized system for identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities, enabling organizations worldwide to address security flaws efficiently.

As of recent records, the CVE database contains over 274,000 entries, underscoring its critical role in the cybersecurity landscape.

In the letter, Barsoum warns that the expiration of MITRE’s current contract to “develop, operate, and modernize CVE and several other related programs, such as CWE,” could lead to significant disruptions.

While the government is reportedly making efforts to continue MITRE’s involvement, Barsoum notes that a break in service could have “multiple impacts” on the CVE ecosystem, also David DiMolfetta’s, a cybersecurity reporter confirmation of the letter’s authenticity.

These include potential “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and overall critical infrastructure.”

The CVE program has already faced challenges in recent years, including transitioning to a new website (CVE.ORG) and updating its record format to JSON, with support for legacy download formats ending on June 30, 2024.

Additionally, MITRE has begun assigning CVEs to service-based vulnerabilities, a shift from its previous focus on vulnerabilities in publicly distributed software products.

These changes reflect the evolving nature of cybersecurity threats but also highlight the program’s reliance on consistent funding and operational support.

MITRE, a not-for-profit organization known for solving problems for a safer world, has reaffirmed its commitment to the CVE program as a global resource.

However, the uncertainty surrounding its contract has raised questions about the future of vulnerability management and the potential ripple effects on national security and critical infrastructure.

This is a developing story. Cyber Security News have contacted MITRE for official comment and will update this article as additional information becomes available.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

The post MITRE’s Support for CVE Program Set to Expire! – Internal Letter Leaked Online appeared first on Cyber Security News.