On April 15th, a leaked letter from MITRE Corporation stunned the cybersecurity world. The message was clear: MITRE may no longer maintain the CVE and CWE databases after April 16th due to contract expiration. This sudden development has left both seasoned security professionals and newcomers alike questioning the future of how we track and talk about vulnerabilities.

What Are CVE and CWE?

For those just starting in cybersecurity:

CVE (Common Vulnerabilities and Exposures) is a standardized system used globally to identify and catalog security vulnerabilities. Think of it as the “dictionary” of known security bugs.
CWE (Common Weakness Enumeration) classifies the types of software weaknesses that can lead to vulnerabilities—like poor input validation or insecure file handling.

These systems act as the foundation of vulnerability management across industries—from bug bounty programs and open-source security to government defense and private enterprise cyber hygiene.

What’s Happening?

MITRE, a nonprofit trusted by the U.S. government to operate CVE and CWE, revealed that its current funding contract ends on April 16, 2024. Without an immediate replacement or extension, MITRE will no longer be able to update or maintain these critical resources.

According to the Cybersecurity and Infrastructure Security Agency (CISA), they are “urgently working to mitigate impact,” but there’s currently no clear backup plan.

This isn't just a technical hiccup—it’s a potential cybersecurity earthquake.

Why Does This Matter?

If you’re new to cyber:

CVEs are like IDs for software bugs. They allow everyone—hackers, defenders, vendors, researchers—to speak the same language when referring to a vulnerability.
Without CVEs, chaos enters the picture. It would be like doctors losing access to medical terminology—confusion, duplication, and miscommunication would follow.

If you’re experienced:

You know how much tooling, automation, compliance, risk scoring (like CVSS), threat intelligence, and even patch management relies on CVEs.
A break in MITRE’s service could lead to broken security tooling, delays in response, and data fragmentation, weakening global cybersecurity posture.

As cybersecurity researcher Brian Martin put it: “Pulling the plug on the database would cause an immediate cascading effect that will impact vulnerability management on a global scale.”

How Did We Get Here?

The details are still murky. The contract, reportedly funded by the Department of Homeland Security, is simply expiring—with no immediate replacement in place.

Some speculate broader federal budget shifts or administrative reshuffling are to blame. But regardless of the "why", the "what now?" is deeply concerning.

What’s Next?

For now, historical CVE records will still be available on GitHub and the official CVE website.
CVE Numbering Authorities (CNAs)—organizations authorized to assign CVEs—will likely continue issuing IDs for new vulnerabilities.
But without MITRE at the helm, coordination, verification, and centralization will suffer.

Jen Easterly, Director of CISA, stressed the seriousness:

“If CVEs vanish, so does one of the clearest public sector warning systems that we have. Cyber threats don’t stop at borders. Neither does defense. Lose this, and everyone’s flying blind.”

Final Thoughts

Whether you're just learning about CVEs or have built your workflow around them, this news affects all of us. MITRE’s stewardship has been the backbone of vulnerability tracking for decades. Losing or disrupting that system is not just inconvenient—it’s dangerous.

This is a wake-up call—not just to the government, but to the entire cybersecurity ecosystem. We must advocate for stability, transparency, and contingency planning in how we manage vulnerability data.

Because if we lose CVEs, we don’t just lose some database.
We lose our shared language for defense.

🛡️ Stay informed. Stay alert. Whether you’re just starting in cybersecurity or leading a SOC team, this is a moment that will shape how we handle vulnerabilities for years to come.

🚨 CVE in Crisis: MITRE to Halt Maintenance – What This Means for Cybersecurity