The Common Vulnerabilities and Exposures (CVE) program, a critical system used by major tech companies to track and identify publicly disclosed cybersecurity vulnerabilities, is on the brink of losing its federal funding. According to MITRE, the federally funded organization behind the program, its contract to "develop, operate, and modernize" CVE will expire on April 16th, putting the entire cybersecurity ecosystem at risk.

The CVE program, launched in 1999, is a database that assigns unique IDs to known cybersecurity vulnerabilities, enabling security professionals to monitor and prioritize patches or mitigations. The program is widely used by companies like Microsoft, Google, Apple, Intel, and AMD to identify and address security flaws in their systems. The loss of funding would severely impact the program's ability to operate effectively, leaving the global cybersecurity landscape vulnerable to attacks.

Security experts are sounding the alarm about the potential consequences of a funding crisis. Lukasz Olejnik, a security and privacy researcher, warned that a lack of support for CVE could "cripple" cybersecurity systems worldwide. "The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability," Olejnik wrote. "Total chaos, and a sudden weakening of cybersecurity across the board."

MITRE has confirmed that the contract expiration will also affect the Common Weakness Enumeration (CWE) program, which catalogs hardware and software weaknesses. Yosry Barsoum, MITRE's vice president and director at the Center for Securing the Homeland, emphasized the organization's commitment to CVE as a global resource, stating that "the government continues to make considerable efforts to support MITRE's role in the program."

The news was first spotted in a leaked letter to MITRE board members posted on X and Bluesky. MITRE receives funding from the US Department of Homeland Security (DHS) and the Infrastructure Security Agency (CISA) to operate and evolve the CVE Program as an independent, objective third party. The sudden loss of funding raises questions about the government's commitment to supporting critical cybersecurity infrastructure.

The implications of a CVE program funding crisis are far-reaching, with potential consequences for global cybersecurity, economic stability, and national security. As the deadline approaches, the tech industry and governments worldwide are urged to take immediate action to ensure the continued operation and development of this vital program.

In the face of growing cyber threats, the CVE program's role in coordinating vulnerability disclosures and mitigations is more crucial than ever. The loss of funding would create a power vacuum, leaving the door open for malicious actors to exploit vulnerabilities and wreak havoc on the global digital landscape. It is imperative that stakeholders come together to address this funding crisis and ensure the continued security of our digital systems.