Wow. CVE database is in serious trouble, tomorrow.
The cyber industry as a whole is in trouble also really, it’s the elephant in the room - the collapse of the White House’s support for cybersecurity is obvious and pronounced due to widespread cutbacks.
My take on the CVE contract issue for businesses: don’t overreact, wait and see what impacts are.
The NVD backlog was already pretty crazy.. the US gov has gotta put real funding into this area if it wants to retain control of cyber standards.
To widen it out - CVE is the globally recognised system orgs use for vulnerability management.
Every vulnerability management product uses CVEs. Vulnerability management is a core part of cybersecurity - often, the most important part.
Additionally, CVE is written into several US government standards that orgs have to follow.
So the US Government not funding it is a major and historic own goal.
Listen to this article Federal contracting firm Mitre, which has dual headquarters in McLean and Massachusetts, expects to lay off 442 people in Virginia in two months. The cuts come after the Trump administration has announced more than $28 million in canceled contracts for the company. Mitre notified the state Wednesday of 442 job cuts […]
FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a
CISA have, at the last minute, extended the MITRE CVE contract. “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” HT @metacurity
It’s unclear how long it has been extended for.
Kevin Beaumont
Xavier «X» Santolaria 
