The CVE program, launched in 1999, has been designed to develop an ID system and help engineers and organizations identify, apply patches, and mitigate vulnerabilities worldwide. Considering a code that begins with the letters “CVE” followed by the year and a unique number—such as CVE-2024-50050 found in Meta’s AI Framework or the Chrome zero-day vulnerability CVE-2025-2783 spotted a few weeks ago—the program organizes and keeps control of global vunerabilities.

The U.S. government will not renew the contract to provide financial support to the CVE program, and it expires today. The non-profit organization has sent a letter to CVE board members and assures the government is searching for alternatives. Cybersecurity experts are concerned and warn about global disruption and confusion.

The MITRE Corporation has been maintaining and operating the CVE system since its founding and has been consistently receiving financial support from the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for the past 25 years. An internal letter sent from Yosry Barsoum, VP and Director of the Center for Securing the Homeland (CHS) at MITRE, to board members of the CVE has been leaked and shared publicly on Bluesky. “We want to make you aware of an important potential issue with MITRE’s enduring support to CVE,” states the document. “On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.” The Verge has confirmed the information disclosed on the social media platform and reached out to Barsoum who assured that the government is making efforts to continuing to support MITRE, and that, in the meantime, the Common Weakness Enumeration (CWE) program—which focuses on software and hardware vulnerabilities—will also be affected. Cybersecurity researcher Lukasz Olejnik shared his concerns on X. “The Trump administration will effectively (at least temporarily) cripple the global cybersecurity system,” he wrote in a post. “The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos, and a sudden weakening of cybersecurity across the board.”

— Lukasz Olejnik (@lukOlejnik) April 15, 2025 Other experts and organizations, including MITRE, expect to find other funding sources and alternatives for the CVE program to continue its service and operations regularly.