News
Flashpoint: Leaked MITRE letter to CVE Board – CVE Funding Loss & Global Vuln Impact
April 2025 by Flashpoint
This morning the intelligence analysts at Flashpoint will be posting a blog detailing an incident on April 15 (yesterday) where an alleged letter from MITRE to the CVE Board was leaked online. Flashpoint has received this document from multiple sources, all of whom claim it is verified and legitimate. The letter states that "current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire."
• In short, the letter implies that Common Vulnerabilities and Exposures (CVE) may lose funding from the US Department of Homeland Security (DHS) and shut down.
• This would have a cascading global effect, as CVE is the foundation for the National Vulnerability Database (NVD) and the operator of the CVE Numbering Authority (CNA) federated model, and it is heavily used by national vulnerability databases around the world, including in China, Russia, and more.
• Without a central catalog for these vulnerabilities, any organization that has relied on CVE as a source of vulnerability intelligence will need to find new options.
• MITRE has operated the CVE program since 1999. The budget cuts made by the current US administration means the future of a US government–coordinated effort to catalog vulnerabilities is uncertain.
• This may be the precursor to a more unified effort within the US government to do so, or it could be the end of US government tracking of vulnerabilities made freely available to the world.
• While Flashpoint’s VulnDB uses CVE as one source of vulnerabilities, it is not reliant on the CVE ecosystem to operate. Every week, VulnDB analysts monitor many thousands of sources for publicly disclosed vulnerabilities and aggregate, analyze, and publish them to customers regardless of a CVE ID being present. Flashpoint will continue to do this regardless of MITRE’s funding issues and of any potential new government initiatives.
