CVE Program Funding Cut—What It Means And What To Do Next
U.S. President Donald Trump has cut funding for the global database of security flaws, the Common ... More Vulnerabilities and Exposures database from Apr. 16.
U.S. President Donald Trump has cut funding for the global database of security flaws, the Common Vulnerabilities and Exposures database from Apr. 16. The not-for-profit organization that runs the database, MITRE, confirmed its contract with the U.S. Department of Homeland Security to operate the CVE Program has not been renewed.
The funding cut for the 25 year old CVE program — which is globally relied upon to identify and mitigate security flaws — is part of a cost-cutting drive by the Trump administration.
The move to cut CVE funding is certainly a concern — especially given how suddenly it seems to have happened. Here is what happened, what it means for global security and what to do next.
MITRE vice president Yosry Barsoum confirmed that U.S. government funding for the CVE database and the Common Weaknesses Enumeration programs will expire now, warning that it could be a disaster for security. The news came via a letter on social network BlueSky.
"On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,' Barsoum wrote in a letter published on Bluesky.
'If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure."
It comes as the U.S. Department of Homeland Security's national security research subdivision, the Science and Technology Directorate, will stop current grants and refocus its mission priorities.
"CISA is the primary sponsor for the CVE program, which is used by government and industry alike to disclose, catalog, and share information on technology vulnerabilities that can put the nation's critical infrastructure at risk,' a CISA spokesperson told me via email.
Although CISA's contract with the MITRE Corporation will lapse after Apr. 16, CISA said it is 'urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.'
Known by all in the security community inside the U.S. and out, the CVE system is a global reference method for publicly-known security flaws.
Launched in 1999, the CVE system is maintained by the U.S. National Cybersecurity FFRDC, operated by The MITRE Corporation, with funding from the US National Cyber Security Division of the US Department of Homeland Security.
CVE IDs are listed on MITRE's system as well as in the U.S. National Vulnerability Database.
The CVE database is 'critical for anyone doing vulnerability management or security research,' and for 'a whole lot of other uses,' security journalist Brian Krebbs wrote on Mastodon. 'There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the U.S. government, which is a major consumer of this information, btw.'
America's abrupt pullback from leadership roles 'in this case coordinating the near global issue of CVEs for vulnerabilities' will 'place a heavy burden on global cyber defenses,' says Ian Thornton-Trump, CISO at Inversion6.
It will impact global response capabilities to CVE exploitation such as 'HeartBleed' among vulnerability and attack surface management companies, says Thornton-Trump.
Thornton-Trump concedes the immediate impacts might be 'minimal' but says the move is now 'helpful to our adversaries.'
Cutting the CVE program funding is 'a huge blow to the cybersecurity community,' says William Wright, CEO of penetration testing firm, Closed Door Security. 'Many of today's ransomware attacks and data breaches are executed by adversaries exploiting vulnerabilities. Without a common destination to log vulnerabilities, so organizations can take steps to patch them, they could be more vulnerable to attack.'
However, the news might not be quite as bad as it seems. It's important to understand that MITRE does not operate the National Vulnerability Database, this is run by the U.S. National Institute of Standards and Technology, says Sean Wright, an independent security researcher. 'This is an important distinction since most vulnerability scanners use the NVD as the source of vulnerabilities to do their scanning.'
While MITRE does assign CVEs IDs, there are also CVE Naming Authority, that can also assign CVE IDs, says Wright. 'It is important to note that while MITRE is the source of CVE IDs, most security tooling leverages the National Vulnerability Database for their source of vulnerabilities. This is operated by NIST, and to the best of our knowledge at this time, the operation of this database will not be impacted.'
He says the recent news about MITRE's contract would likely only affect new vulnerabilities. 'Historical vulnerabilities should not be affected. It's important to call this distinction out, as there's already been some confusion."
The question remains if the contract for MITRE is not renewed, how or if the organization will continue the CVE program, asks Wright, 'Given that we now have a larger number of CVE numbering authorities now also issuing CVEs, it is possible that the impact of this recent news may not be as big as first thought. However with the limited information that we have, it's not possible to tell.'
MITRE said historical CVE records will be available on GitHub, but future CVEs still hang in the balance.
Hopefully another organization will step in to provide the funding, or countries will band together to offer support, says Closed Door Security's Wright. 'But until then, the world may have lost one of its greatest security resources.'
It is possible funding will move to one of the big players in global cybersecurity, or perhaps a consortium. 'The health of the CVE MITRE database is undoubtedly of global benefit," says Matt Saunders, DevOps lead at The Adaptavist Group. 'There's an opportunity here for the private sector, who will benefit the most from this, to step up and keep it going in the public interest — though there are also inevitable concerns around it falling into the hands of a single private entity.'
Businesses can prepare by diversifying their threat intelligence sources and monitoring vendor-specific vulnerability feeds, says Jamie Akhtar, CEO and co-founder at cybersecurity outfit CyberSmart. 'Organizations should lean more heavily on resources like CISA's Known Exploited Vulnerabilities list, the NVD (if it remains online), and coordinate closely with software vendors. However, there is no true replacement for CVE.'
For now, the best thing to do is hold tight and use the resources available to you. The CVE funding cut isn't the end of the world, but it's still a worrying move that potentially reduces security for everyone.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
14 minutes ago
- Yahoo
Has no tax on tips passed? Here's where things stand
As a presidential candidate last year, Donald Trump called for no taxes on tips — an exemption from the federal income tax for all tipped income. So where does that promise stand now? There is a provision in the 'big, beautiful bill' passed by the House in May, which the Senate is now considering. The tax break is included in both the House and Senate versions of the bill, so it seems likely to make it into the final version sent to Trump's desk. Plus, the Senate already voted unanimously on a separate bill that would do the same thing. Here are answers to some common questions about the 'no tax on tips' proposal: Trump first proposed to end taxation on tipped income at a campaign rally on June 9, 2024, in Las Vegas, a direct appeal to the service workers in the swing state's tourism industry. 'So this is the first time I've said this, and for those hotel workers and people that get tips, you're going to be very happy, because when I get to office, we are going to not charge taxes on tips people [are] making,' Trump said. It was part of a broader set of proposals thrown out with little detail during the campaign, including a pledge to exempt overtime pay from income tax. It was one of Trump's more realistic promises, however, as the idea quickly gained bipartisan support, including from Kamala Harris' campaign and Democratic Sen. Jacky Rosen of Nevada plus Republicans such as Texas Sen. Ted Cruz. It was also one of a number of campaign pledges he promised would be fulfilled right away if he won a second term. The Big Beautiful Bill Act, which passed the House, includes an income tax exemption for tips. As with the proposed $1,000 baby bonus and the exemption for income tax on overtime pay in the bill, the tips tax break would expire at the end of 2028, days before Trump's term ends. That helps Republicans in Congress keep the apparent cost of the bill down while setting up another fight on the issue just as the next president takes office. Under the House proposal, workers making less than $160,000 per year would qualify for the exemption. Tips would still have to be reported to the IRS, and they would be subject to withholding — meaning money would be taken out of each paycheck but workers would get it back if they were owed tax refunds the next April. Social Security and Medicare taxes would still apply to tipped income. The exemption would not apply to automatic gratuities for large parties at a restaurant and other service charges. The Senate passed a standalone bill called the No Tax on Tips Act in a surprise vote in late May. Rosen brought up the bill as a "unanimous consent" request, an accelerated process typically reserved for more routine issues, such as renaming post offices. But no senator objected, and the bill was quickly passed. The bill would create an income tax exemption of up to $25,000 for workers in jobs that have traditionally received tips who make less than $160,000. The exact jobs covered by the exemption would be decided by the Trump administration within 90 days of the bill's signing. As with the House bill, the Senate version would expire just as Trump leaves office. If it expires, the total cost of the measure would be about $40 billion. The Committee for a Responsible Federal Budget estimated that if the measure is extended over 10 years, it would cost more than $100 billion. The White House Council of Economic Advisers — which works for Trump — estimated that the measure would increase the average take-home pay for tipped workers by $1,675 per year. The Tax Policy Center, however, noted that the amount would vary greatly depending on the job. Half of all wait staff make $32,000 or less a year, which means they already pay little or no federal income tax. But the measure would give a much bigger break to the highest-paid tipped workers who make $60,000 or more a year. "A 20 percent tip on a $200 meal is vastly different than one for the $9.95 special at Mom's Diner," the nonprofit said in an analysis. As with the exemption on overtime pay, there's a wide range of possible outcomes. It's possible that the measure would simply end up reducing the annual tax bill for the top tipped workers and have no other effects. Or it could lead customers to give more — or possibly even less — in tips to wait staff, hairdressers and others once they know the money isn't taxed. Some economists think the exemption would undercut ongoing political efforts to increase the minimum wage for tipped workers, which is currently $2.13 per hour at the federal level. This article was originally published on
Yahoo
14 minutes ago
- Yahoo
Rally for LGBTQ+ rights to convene at historic site in Washington
By Daniel Trotta WASHINGTON (Reuters) -LGBTQ+ people will gather on Sunday at the Lincoln Memorial in Washington, site of Martin Luther King's 1963 "I Have a Dream" speech, for a political rally aimed at preserving decades of progress while protesting setbacks under President Donald Trump. After the festive nature of a parade on Saturday through the streets of the capital, the political demonstration may be the main event of the weeks-long WorldPride celebration, which moves around the globe every two years. It occurs in Washington at a time of high tension over LGBTQ+ rights in the U.S. Speakers are certain to rail against Trump, who has issued executive orders limiting transgender rights, banned transgender people from serving in the armed forces and rescinded anti-discrimination policies for LGBTQ+ people. The White House has defended its dismantling of diversity, equity and inclusion programs, calling DEI a form of discrimination, and said its transgender policy protects women by keeping transgender women out of shared spaces. The Trump administration has also touted its appointment of a number of openly gay people to cabinet posts and judgeships as evidence that Trump aims to serve all Americans. Before the main rally, transgender supporters will hold their own march to protest Trump's rhetoric and myriad state laws around the country that ban transgender healthcare services for minors. Backers of those laws say they are attempting to protect minors from starting on a path they may later regret. The transgender rally will march from the offices of the Human Rights Campaign, the largest LGBTQ+ organization in the U.S., toward the Lincoln Memorial, which is considered hallowed ground in the U.S. civil rights movement as the site of the King speech and the March on Washington that preceded historic legislation such as the Civil Rights Act of 1964 and the Voting Rights Act of 1965.
Yahoo
14 minutes ago
- Yahoo
Trump and Musk can both hurt each other in their feud. Here's how.
An explosive breakdown in the relationship between President Donald Trump and his biggest political donor turned part-time employee, Tesla CEO Elon Musk, has been foreshadowed since their alliance first took shape. When Trump brought Musk along for the ride as he moved back into the White House, the looming question was always how long the two could possibly stay in sync. After all, neither the most powerful person in the world nor the richest person on Earth is known for keeping his ego in check. The main thrust of the Trump-Musk feud boils down to who can assert dominance over the other. In the intense back-and-forth that had everyone glued to their screens Thursday, we saw bullies used to getting their way desperately trying to find leverage over each other. But unlike the flame wars of old, where internet trolls would hurl insults at each other across message board forums, Trump and Musk can do serious damage to each other in the real world — and to the rest of us in the process. Musk first gained access to Trump through his vast fortune; he donated almost $300 million during last year's election and hasn't been afraid to throw his money around in races this year. Though he said in May he would be 'spending a lot less' on funding political races, he has also been quick to threaten pumping money into the midterms should lawmakers back the massive budget bill currently working its way through the Senate. And Musk has made clear that he expects a return on his investments, having already snidely claimed on his X platform that Trump would have lost and Democrats would have taken Congress without his backing. Trump is reportedly more focused on the midterms than he was during his first term, worried that a new Democratic majority would lead to more investigations and/or a third impeachment. While he's already sitting on $600 million to help hold on to a GOP majority, Musk's money could throw a spanner in the works, especially if he follows through on his public musing about bankrolling a third party to 'represent the 80% of Americans in the middle.' Though Trump has his own social media platform, Truth Social, X remains a much louder microphone to amplify Musk's messaging to the right, including his supposed 'bombshell' about Trump's presence in the Jeffrey Epstein files. (Musk provided no evidence for the claim and Trump has previously denied any involvement with Epstein's criminal behavior.) Trump, in turn, has threatened Musk's lucrative government contracts, which would include billions of dollars funneled toward his SpaceX company, as well as the subsidies that Tesla receives for its electric car production. Musk responded by warning about cutting off access to SpaceX launches, which would potentially cripple NASA and the Defense Department's ability to deploy satellites. But that would prove a double-edged sword for Musk, given how large a revenue stream those contracts have become. By Thursday evening, Musk had already backed down from his saber-rattling about restricting access to the Dragon space capsule, but he could change his mind again. That he made the threat in the first place has raised major alarm bells among national security officials. The Washington Post reported Saturday that NASA and the Pentagon have begun "urging [Musk's competitors] to more quickly develop alternative rockets and spacecraft" to lessen his chokehold on the industry. Notably, Trump isn't alone in his fight against Musk, though as ever those wading into the brawl have their own motives. Former White House strategist Steve Bannon took the opportunity to launch a broadside against Musk. 'People including myself are recommending to the president that he pull every contract associated with Elon Musk,' Bannon told NBC News on Thursday night. Bannon requested that 'major investigations start immediately' into, among other things, Musk's 'immigration status, his security clearance and his history of drug abuse.' There are already several federal investigations of Musk's companies that have been underway for years, which critics had previously worried might be stonewalled due to his influence with Trump. While the extremely public breakup makes for high drama and more than a little schadenfreude, the pettiness masks a deeper issue. The battle Musk and Trump are waging is predicated on both wielding a horrifying amount of unchecked power. In a healthy system of government, their ability to inflict pain on each other wouldn't exist, or at least such an ability would be severely blunted. Musk being able to funnel nearly unlimited amounts of spending into dark money super PACs is an oligarchical nightmare. Trump using the power of the presidency to overturn contracts and launch investigations at a whim is blatant authoritarianism in action. In theory, there are still checks to rein each of them in before things escalate much further. Musk's shareholders have been unhappy with his rocky time in government, and the war of words with Trump sent Tesla's stock price tumbling once more. Trump needs to get his 'One Big Beautiful Bill Act' passed into law and — next year — ensure Congress doesn't fall into Democrats' hands. Trump and Musk have incentives, then, to stay in each other's good graces despite their wounded pride. Trump made clear to NBC News in an interview Saturday that he has no real interest in patching things up with Musk, warning that there will be "very serious consequences" if his one-time ally funds Democratic campaigns. Even if the two eventually reach a détente, it's unlikely to be a lasting peace, not so long as one feels his authority is challenged by the other. The zero-sum view of the world that Trump and Musk share, one where social Darwinism and superior genetics shape humanity, doesn't allow for long-term cooperative relationships. Instead, at best they will return to a purely transactional situationship, but one where the knives will gleefully come back out the second a new opening is given. Most importantly, there is no protagonist when it comes to the inciting incident in this duel, as a total victory won't benefit the American people writ large. Trump wants Congress to pass his bill to grant him more funding for deportations and to preserve his chances of staying in power. Musk wants a more painful bill that will slash the social safety net for millions. No matter what the outcome is as they battle for supremacy over each other, we're the ones who risk being trampled. This article was originally published on
