The CVE program for tracking security flaws is about to lose federal funding

The Verge - Apr 15th, 2025

Funding is set to expire for the Common Vulnerabilities and Exposures (CVE) program, a crucial system utilized by major tech companies such as Microsoft, Google, Apple, Intel, and AMD to identify and track cybersecurity vulnerabilities. The expiration of the contract for MITRE, the organization managing CVE, is scheduled for April 16th. The program's database, which assigns unique IDs to known vulnerabilities, is essential for engineers to assess and prioritize security patches. Lukasz Olejnik, a security and privacy researcher, warns that without continued support, global cybersecurity coordination could face severe disruption.

The potential funding lapse comes as MITRE's contract with federal entities like the Department of Homeland Security and the Infrastructure Security Agency approaches its end. Despite efforts to sustain the program, the uncertainty surrounding its future has raised alarm. The situation highlights the significance of the CVE program in maintaining cybersecurity infrastructure worldwide and the challenges posed by its potential discontinuation. MITRE remains committed to the program, acknowledging its vital role in global cybersecurity and the impact on related initiatives like the Common Weakness Enumeration program.

Cybersecurity Microsoft Apple Amd Google Intel Vulnerabilities Us Department Of Homeland Security Mitre Cve Program Lukasz Olejnik Infrastructure Security Agency

Story submitted by Fairstory

RATING

7.4

Fair Story

Consider it well-founded

The article provides a well-researched and timely examination of the funding challenges facing the CVE program, a critical component of global cybersecurity infrastructure. It draws on credible sources and presents a balanced view of the situation, highlighting both the potential impacts of the funding lapse and ongoing government efforts to mitigate these effects. The article is clear and engaging, though it could benefit from additional transparency and explanations of technical terms to enhance reader comprehension. Overall, it effectively raises awareness about an important issue with significant public interest and potential policy implications.

Accuracy

The story accurately reports the impending expiration of funding for the Common Vulnerabilities and Exposures (CVE) program, which is corroborated by multiple sources. It correctly identifies MITRE as the organization managing the program under a contract with the U.S. Department of Homeland Security. The claim that the program is crucial for tracking cybersecurity vulnerabilities is well-supported by industry experts. However, the story could benefit from additional details on the reasons for the funding lapse and the specific impacts on critical infrastructure. Overall, the factual claims align well with available data, though some aspects require further verification.

Balance

The article presents a balanced view by including perspectives from both MITRE and industry experts like Lukasz Olejnik. It highlights the potential negative impacts of the funding lapse while also noting government efforts to support the program. However, the article could improve by including more diverse viewpoints, such as opinions from other cybersecurity experts or government officials, to provide a more comprehensive picture of the situation.

Clarity

The article is well-structured and uses clear language to convey the importance of the CVE program and the implications of its funding expiration. The logical flow helps readers understand the issue's significance. However, some technical jargon, such as 'CVE IDs,' may require additional explanation for readers unfamiliar with cybersecurity terms.

Source quality

The article relies on credible sources, including statements from MITRE and recognized cybersecurity experts. The inclusion of a leaked letter and social media posts adds depth, although the latter might not be as reliable as official statements. Overall, the sources used are authoritative and relevant to the topic, contributing to the article's credibility.

Transparency

The article provides a reasonable level of transparency by identifying its sources, such as MITRE and experts like Lukasz Olejnik. However, it lacks detailed explanations of the methodology behind the claims and does not disclose any potential conflicts of interest. Greater transparency about the origins of the leaked letter and the reasons for the funding lapse would enhance reader trust.