{"id":58509,"date":"2025-04-16T19:34:39","date_gmt":"2025-04-16T19:34:39","guid":{"rendered":"http:\/\/9bd2a0d0-e02d-4511-81af-3017658aa2cd"},"modified":"2025-04-16T19:34:39","modified_gmt":"2025-04-16T19:34:39","slug":"why-the-cve-database-for-tracking-security-flaws-nearly-went-dark-and-what-happens-next","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/why-the-cve-database-for-tracking-security-flaws-nearly-went-dark-and-what-happens-next\/","title":{"rendered":"Why the CVE database for tracking security flaws nearly went dark – and what happens next"},"content":{"rendered":"
\n
\n
\"globedark5gettyimages-2071084265\"<\/picture><\/div>\n

<\/div>

fotograzia\/Getty Images<\/span><\/figcaption><\/figure>\n

Over the weekend, security experts were beginning to panic. MITRE<\/a> announced that the US government had not renewed funding for the Common Vulnerabilities and Exposures (CVE) <\/a>database. <\/p>\n

MITRE VP Yosry Barsoum warned that the government contract support enabling MITRE “to develop, operate, and modernize CVE<\/a>” would expire on April 16. That would mean, Barsoum continued, “multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”<\/p>\n

Also: Navigating AI-powered cyber threats: 4 expert security tips for businesses<\/a><\/strong><\/p>\n

All computer security depends upon CVE, which is the standard for tracking what is (and is not) a significant security hole. Fortunately, with no time left on the clock, MITRE, the non-profit that oversees the CVE database, announced it would get funding <\/a>for another 11 months.<\/a>  <\/p>\n

The CVE program, which has cataloged more than 274,000 publicly disclosed security flaws since its inception in 1999, is relied upon by governments, private industry, and open-source communities — in short, everyone<\/em> — to track and coordinate responses to software holes. For example, Microsoft, with its Patch Tuesday,<\/a> and Linux kernel developers<\/a> both use CVEs to track security problems.<\/p>\n

Everyone relies on CVEs because, while far from perfect, they’re the universally agreed-upon standard for tracking security problems. As Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency (CISA)<\/a>, explained on LinkedIn: <\/p>\n

\n

Think of the CVE system like the Dewey Decimal System for cybersecurity<\/a>. It’s the global catalog that helps everyone — security teams, software vendors, researchers, governments — organize and talk about vulnerabilities using the same reference system. Without it:<\/p>\n