No single point of reference for vulnerability categorisation raises fears.
The Common Vulnerabilities and Exposures (CVE) database is due to be taken offline today.
According to various media reports, MITRE’s contract with the Department of Homeland Security expires today, and without confirmed renewal or replacement, the industry risks entering a period of dangerous opacity in vulnerability tracking.
Multiple Impacts
In a letter, MITRE vice president Yosry Barsoum said that “if a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure." The letter was circulated by CVE members on social media last night.
"CISA is the primary sponsor for the CVE program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation’s critical infrastructure at risk,” a CISA spokesperson told Forbes.
CISA said it is “urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”
In the meantime, VulnCheck said it has proactively reserved 1,000 CVEs for 2025, and its reporting service will continue to provide CVE assignments to the community in the days and weeks ahead.
Raising Alarms
Former CISA head Jen Easterly acknowledged that the shutdown is “rightly raising alarms across the cybersecurity community” as “while this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.”
In a LinkedIn post, she said that without it, everyone is using a different catalog or no catalog at all; no one knows if they’re talking about the same problem; defenders waste precious time figuring out what’s wrong; “and worst of all, threat actors take advantage of the confusion.”
Matt Saunders, DevOps lead, at The Adaptavist Group, said: “Like many pieces of open source software, the CVE database has become a dependable resource for all teams with any concern over security, and its centralisation and dependability has allowed DevSecOps teams to build pipelines to get fixes out quickly, for all manner of software security issues.
“Losing it will make our software harder to secure, and its absence will mark a victory for cyber-criminals across the world. It feels possible that funding for this will move to one of the big players in global cybersecurity, or perhaps a consortium of them, as the health of the CVE MITRE database is undoubtedly of global benefit.
“There’s an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest, though there are also inevitable concerns around it falling into the hands of a single private entity.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
