On April 16, 2025, a critical moment unfolded in the cybersecurity world when the U.S. Department of Homeland Security’s funding for the Common Vulnerabilities and Exposures (CVE) Program, operated by MITRE, was set to expire. The CVE system is a globally relied-upon database for cataloging known cyber vulnerabilities and has been a cornerstone of vulnerability management for over 25 years since its public launch in 1999.

Initially, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the contract with MITRE would not be renewed, raising significant concerns across the global cybersecurity community. Without this centralized source of vulnerability data, many feared serious impacts on vulnerability tracking, patch management, threat intelligence and incident response.

In a last-minute turnaround, CISA extended MITRE’s contract for 11 more months until March 2026, preventing an immediate disruption. However, the uncertainty of long-term support has exposed the fragility of relying on a single, government-funded resource.

Why This Matters

The CVE database:

• Enables standardized vulnerability scanning and patch prioritization.
• Powers integrations across many security tools
• Standardizes how vulnerabilities are communicated globally.

Therefore, a disruption, even temporary, could have created confusion and gaps in security defense across critical infrastructure, enterprises and cybersecurity operations.

Emerging Alternatives and New Initiatives

1. CVE Foundation A group of long-time CVE Board members has launched the CVE Foundation to ensure “the long-term independence, neutrality, and sustainability” of the CVE Program. Their goal is to transition the database away from dependence on U.S. government funding.
2. European Vulnerability Database (EUVDB) The EU Vulnerability Database, created by the European Union Agency for Cybersecurity (ENISA), has been launched to provide an independent, transparent, and multilingual source of vulnerability data. It was developed under the NIS2 Directive and functions similarly to the U.S. NVD.
3. GCVE: A Decentralized CVE Model GCVE (Global CVE Allocation System), introduced by CIRCL Luxembourg, proposes a decentralized approach to CVE issuance. It enhances the traditional CVE model by including the issuing authority (CNA) in the identifier format, helping reduce reliance on centralized coordination.

What You Should Do Now

1. Diversify your threat intelligence sources: Supplement CVE data with:
   • CISA’s Known Exploited Vulnerabilities (KEV)
   • NVD (National Vulnerability Database)
   • GitHub Security Advisories
2. Track Alternative Initiatives Stay informed by monitoring:
   • CVE Foundation updates
   • EUVDB activity
   • GCVE development and adoption
3. Brief Executive Leadership Use this moment to elevate awareness at the leadership level:
   • Emphasize the importance of diversified cyber infrastructure.
   • Advocate for investments in vendor-neutral threat intelligence.
   • Build business continuity into your vulnerability management processes.

Centripetal’s Perspective

Centripetal recognizes the critical role the CVE Program plays in the broader cybersecurity ecosystem—particularly in the standardization of vulnerability identification, coordinated disclosure processes, and support for vulnerability management initiatives.

While the recent 11-month extension of CVE services is reassuring, we want to clarify that Centripetal’s core services are not dependent on the CVE Program. Our CleanINTERNET® service is focused on proactive threat prevention, real-time threat intelligence correlation, and network protection against known and emerging threats.

However, we understand that many of our customers leverage CVE data within their own internal vulnerability management workflows, and we recognize the potential impact this uncertainty may cause. Where CVE identifiers are embedded in threat intelligence or used as enrichment in threat feeds, Centripetal continues to ingest and support that data to enhance threat detection.

We are actively monitoring the progress of the CVE Foundation, the EU Vulnerability Database (EUVDB), and other emerging initiatives like GCVE to ensure continuity and adaptability across our services. Should alternative or supplemental vulnerability sources become necessary, our service is fully capable of integrating them into our intelligence processing pipeline.

Our intelligence partners also continue to enhance their vulnerability intelligence which leverages, but does not depend on CVEs. In a similar fashion, Centripetal will continue build resilience into CleanINTERNET and to use this vulnerability intelligence to identify exposures, attribute TTPs, and to defend our customers while reducing our dependence on any sole data source.

Resources

• https://www.siliconrepublic.com/enterprise/mitre-cybersecurity-database-us-government-funding
• https://industrialcyber.co/threat-landscape/mitre-warns-of-potential-cybersecurity-disruptions-as-us-government-funding-for-cve-cwe-programs-set-to-expire/