This week, we saw the common vulnerabilities and exposure (CVE) process, as we know it, come hours from the brink of collapse when a memo started circulating on LinkedIn that the US Department of Homeland Security would cut funding to MITRE’s CVE cataloging on April 16. MITRE’s role in the CVE process is the crucial first step in assigning IDs to vulnerabilities so that practitioners, vendors, researchers, and governments across the globe can consistently reference the same vulnerability. The process also allows for responsible disclosures and accountability for vulnerabilities to software companies.
The panic highlighted the elephant that’s been hanging out in the data center for too long: The CVE process is convoluted and has too many single points of failure. CVE submission processes have been falling apart for several months now, notably with NIST falling behind on assessing CVEs, scoring them with the Common Vulnerability Scoring System, and adding them to its separately maintained vulnerability catalog in the National Vulnerability Database (NVD), which many security companies utilize for their source of vulnerability truth.
Without this first step of reporting vulnerabilities to an independent arbitrator like MITRE, the security community loses its ability to consistently communicate vulnerability issues in software and specify which components and versions are vulnerable. If this process ceases with no replacement, responsible and objective disclosure around newly discovered vulnerabilities would fall to the wayside, giving threat actors leverage and leaving a lack of accountability for software companies.
CVE Program Renovation Leaves Uncertainty
The security community recognized the need for better resilience in the CVE process. When US federal funding to a nonprofit can jeopardize so much, there is something inherently wrong. Even though MITRE ended up with funding, the status quo has proven to be unacceptable given the volatile reality of today’s cybersecurity and political landscape. Although MITRE-geddon approached and passed without disruption, many other entities have raised their hands to take on managing new vulnerabilities, including:
The CVE Foundation. Members of the CVE board emphasized concerns about the global reliance on a process funded by single entities such as CISA and announced intentions to build a more resilient solution that can uphold imperatives in sustainability and neutrality. But as of now, the CVE Foundation has only released a memo and stood up thecvefoundation.org, which only states that more details about transitions will be announced. On Friday, the Dutch Institute for Vulnerability Disclosure posted its support for centralization through the CVE Foundation on LinkedIn.
The European Union. Cybersecurity leaders and industry experts outside the US have expressed concern about the risks of relying on a single funding source for a critical global resource such as CVE. The European response to the uncertainty around the CVE system has been swift. Key organizations such as ENISA launched the European Vulnerability Database to enhance regional resilience and reduce reliance on a single US-funded entity. At the same time, the European Cyber Security Organization issued a clear call for European stakeholders to step up with trustworthy and transparent alternatives, reinforcing the need for sovereignty in cybersecurity infrastructure. Broader community initiatives, including CIRCL’s decentralized global CVE system, further underscore Europe’s commitment to building a robust and autonomous vulnerability management ecosystem. Many European institutions (including, again, ENISA) are already CVE Numbering Authorities, and it appears that those roles could expand.
Cybersecurity vendors. Although CVE identifiers provide a consistent language for security professionals and vendors detecting and tracking vulnerabilities, vulnerability enrichment vendors like Flashpoint and VulnCheck provide their own catalogs. We anticipate that disruption to the process will provide more opportunities for vulnerability enrichment and threat intelligence solutions to sell their independent solutions. This opens the door for fragmented, paywalled alternatives, introducing new risks, costs, and dependencies. A standard, free CVE process on which everyone has relied for the past 25 years is likely to see more commercialization — with CISO budgets footing the bill.
Other organizations cropping up to save the day doesn’t necessarily address the core problem. The value of having one organization responsible for maintaining CVEs is that there is then a single source of truth: a unified global ID system for security vulnerabilities, a common language across security vendors, researchers, and IT teams. This allows seamless integration into security tools such as scanners, security information and event management platforms, and vulnerability databases.
What It Means For Security Teams
The April 2025 incident shows that a lapse in support can disrupt a global system. When there are too many entities, like governments or commercial entities, that have their own vulnerability database, the lack of consistency will lead to more confusion. A disruption to CVE services could trigger fragmentation across the cybersecurity ecosystem, making it difficult for vendors and researchers to assign or reference vulnerabilities consistently, in turn hampering disclosure and remediation.
Security researchers may need to report vulnerabilities to multiple institutions, leading to duplication and inefficiency. Additionally, most vulnerability scanners and patch management tools rely on timely and consistent CVE updates. Without those updates, systems risk becoming unreliable. Vulnerability management teams will also face new challenges with remediation prioritization efforts without consistent, up-to-date intelligence, further increasing exposure and risk.
All of this won’t go unnoticed by adversaries. Expect a surge in opportunistic attacks as threat actors seek to exploit the confusion and gaps in visibility. It is also conceivable that new “vulnerability intelligence sources” could, in fact, be threat vectors, with so many authoritative sources out there.
What Security Teams Can Do Now
Most security teams rely on a variety of tooling and vendors to identify CVEs in their environment. Given the fragility of today’s CVE process, and an unknown future for how new CVEs will be handled, security teams should:
Understand vendor plans for CVE source of truth. If your security tooling (such as vulnerability management, web application firewalls, and software composition analysis solutions) refers to CVEs to help users prioritize discovered issues, work with your vendors to understand how they will adapt if CVE updates stall or CVE ownership changes. Many vendors rely on the NVD, so changes in CVE identifications could also have trickle-down effects to vendors’ sources of truth.
Test how compensating controls can mitigate the exploit impact. One exploited vulnerability in isolation doesn’t typically lead to a breach. Ensure that preventive controls such as intrusion prevention systems, multifactor authentication, and encryption are working as designed with security assessments like red teaming or continuous security testing, which can mitigate delayed vulnerability responses.
Leverage threat intelligence and attack surface management. Use threat intelligence to build a better idea of threats likely to impact your organization, and check for indicators of compromise. Include detection of stolen credentials to mitigate unauthorized access. Utilize attack surface management to detect and manage previously unknown assets. Even if you’re unable to scan these assets for vulnerabilities, ensure that they are meeting minimum security standards such as CIS Benchmarks and have any unnecessary ports closed.
Develop a contingency plan for vulnerability management. Assume that CVE publishing could slow down and become fragmented. Prepare by diversifying your vulnerability detection sources. Avoid single points of failure. Monitor for degradation in CVE quality or delays. Engage with threat sharing communities such as ISACs, FIRST, OpenSSF, or OWASP to gain early insights on critical vulnerabilities. Assess vendor lock-in and roadmap transparency. Evaluate whether suppliers are overly dependent on CVE as a taxonomy. Ask if they can adapt to alternative or proprietary vulnerability identifiers and what commitment they would make if CVE continuity is threatened.
Elevate the issue internally … and prepare for incidents. A disruption of CVE impacts more than just your security organization. It also affects risk management, compliance, and incident response capabilities. Create executive awareness and help them understand potential downstream effects and additional support requirements if needed. Convene your critical vulnerability response team and run tabletop exercises and crisis simulations, factoring in potential inconsistencies and misinformation related to a newly discovered and exploited vulnerability in a critical system.
Connect With Us
If you’re a Forrester client and need assistance in navigating these changes and their implications, we’d love to help. Please reach out and schedule an inquiry or guidance session.
