The CVE security program used to track vulnerabilities in both hardware and software has had its federal funding removed with immediate effect. Apple is one of a number of tech giants who rely on the Common Vulnerabilities and Exposures (CVE) program to identify security flaws in their products.
Update: CVE board members have responded by announcing a new non-profit known as the CVE Foundation to continue the work – more at the end …
The CVE security program
The CVE program provides an easy and efficient way for any individual or organization to report a security vulnerability they have found in any tech product.
Once reported, it is assigned a unique ID comprising CVE- followed by the year and a serial number. This allows others to see that the issue has been reported, and to carry out their own investigations to assist the tech company concerned in determining the severity of the problem.
Where a vulnerability requires multiple tech companies to act, the CVE system helps them to coordinate their efforts. Apple, Google, and Microsoft are among the many companies to rely on the system.
While the program falls under the auspices of the US Department of Homeland Security, its work is subcontracted to a private company, The MITRE Corporation.
US government removes federal funding
The MITRE Corporation yesterday announced that its federal funding has been removed, effective today.
On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire […]
If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.
Noted security researcher Lukasz Olejnik said this will result in “total chaos” in the cybersecurity field.
By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE […]
The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos, and a sudden weakening of cybersecurity across the board.
CWE funding also removed
As mentioned by MITRE, the cut also removes funding for the Common Weakness Enumeration (CWE) program. This is a related scheme enabling the identification of common software and hardware weakness pathways that could have security implications.
This provides guidance that helps tech companies ensure they don’t introduce security flaws into their products in the first place, essentially enabling everyone to learn from the mistakes of others.
9to5Mac’s Take
Both CVE and CWE programs are highly effective, and extremely cost-efficient. Removing their funding is insane.
Update: It seems that CVE board members foresaw the risk of this happening. They have today announced the formation of a CVE Foundation to continue the program’s work.
This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the U.S. government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
The Foundation says that it will release more information about its plans in the coming days. Funding will be critical, and I’d imagine that Apple will be among the tech giants to offer support.
FTC: We use income earning auto affiliate links. More.
