Online risks will escalate as CVE database gets defunded TechTricks365

The loss of CVE will make it harder to track malware

After the U.S. government initially cut its funding of the CVE database, used to track security vulnerabilities in operating systems and software, CISA has said it will continue to be funded for another 11 months at least.

Early on Wednesday, it was reported that the Common Vulnerabilities and Exposures (CVE) database had its funding cut. Within hours, its funding has been restored for just under one more year.

The CVE is an important part of modern cyber security. It’s a central database of vulnerabilities found in operating systems and applications, which can be abused by hackers and malware to attack targets in various ways.

On Tuesday, the defense non-profit MITRE Corporation said its funding to maintain the CVE database would expire on Wednesday. At the same time, the Common Weakness Enumeration (CWE) program would also lose its funding.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed to Reuters that the contract was ending. The U.S. Department of Homeland Security, parent organization of CISA, funded the contract.

At the time, CISA added that it wasworking to mitigate its impact, and to maintain the CVE services as far as possible. It didn’t say whether it was going to formally take over the database at that moment, but it has since confirmed that CVE will remain live.

11 more months

CISA told BleepingComputer that the agency executed an option period on the contract on Tuesday night that would ensure no lapse in CVE services.

That period is understood to be 11 months in length, however there is no guarantee that it will be extended further into the future. It is probable that the window of time will be used by CISA to prepare for whatever follows afterward, such as a shutdown of the database or a migration to another entity entirely.

Critical system’s big impact

CVE is a critical part of the security ecosystem, and something Apple frequently looks at for issues. Many security updates for iOS and macOS have referenced listings in CVE, allowing researchers to know what issues have been fixed and what vulnerabilities have been stopped.

As a central database that developers and researchers check out, it minimizes duplication of listings and work, so researchers can more easily work together on issues. It’s also become the standard way for vulnerabilities to be referred by throughout the security industry.

The initial reports of a loss of funding was immediately responded to by security researchers and other members of the field with a universal outcry that this is a bad thing for security in general.

Former CISA chief Jean Easterley wrote on LinkedIn that the potential shutdown of the CVE database has serious implications for business risk and national security. Likening it to a Dewey Decimal System for cybersecurity, the loss would be profound for researchers.

“Just like librarians trying to find a book in a disorganized library, cybersecurity professionals would be trying to defend your systems without knowing exactly what the threats are or where to find them,” writes Easterly.

The ex-agency head added that the loss of CVE would mean an increased risk of breaches and ransomware, higher costs for security, and a loss of trust of consumers and regulators.

Brian Martin, computer vulnerabilities historian, said there would be “an immediate cascading effect” that will harm vulnerability management globally. Computer Emergency Response Teams (CERTs) would not have the major source of vulnerability intelligence at its disposal, Martin adds, while companies will experience “swift and sharp pains” to their security management programs.

Updated on April 16, 2025 at 2:34 P.M. Eastern with the funding extension announcement.