The CVE security program used to track vulnerabilities in both hardware and software has had its federal funding removed with immediate effect.
Apple is one of a number of tech giants who rely on the Common Vulnerabilities and Exposures (CVE) program to identify security flaws in their products …
The CVE security program
The CVE program provides an easy and efficient way for any individual or organization to report a security vulnerability they have found in any tech product.
Once reported, it is assigned a unique ID comprising CVE- followed by the year and a serial number. This allows others to see that the issue has been reported, and to carry out their own investigations to assist the tech company concerned in determining the severity of the problem.
Where a vulnerability requires multiple tech companies to act, the CVE system helps them to coordinate their efforts. Apple, Google, and Microsoft are among the many companies to rely on the system.
While the program falls under the auspices of the US Department of Homeland Security, its work is subcontracted to a private company, The MITRE Corporation.
US government removes federal funding
The MITRE Corporation yesterday announced that its federal funding has been removed, effective today.
On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire […]
If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.
Noted security researcher Lukasz Olejnik said this will result in “total chaos” in the cybersecurity field.
By cutting what amounts to penny costs, the Trump administration will effectively (at least temporarily) cripple the global cybersecurity system — CVE […]
The consequence will be a breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they are referring to the same vulnerability. Total chaos, and a sudden weakening of cybersecurity across the board.
CWE funding also removed
As mentioned by MITRE, the cut also removes funding for the Common Weakness Enumeration (CWE) program. This is a related scheme enabling the identification of common software and hardware weakness pathways that could have security implications.
This provides guidance that helps tech companies ensure they don’t introduce security flaws into their products in the first place, essentially enabling everyone to learn from the mistakes of others.
9to5Mac’s Take
Both CVE and CWE programs are highly effective, and extremely cost-efficient. Removing their funding is insane, and we will all be put at greater risk as a result.
Photo by Rohan on Unsplash
FTC: We use income earning auto affiliate links. More.
