Following the News: MITRE’s Common Vulnerabilities and Exposures (CVE) Funding

Last updated at Wed, 16 Apr 2025 14:56:15 GMT

The current situation

On April 16, CISA extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. This was in response to a letter sent by MITRE on April 15 to CVE board members warning of a potential issue with MITRE's support for the CVE program. MITRE administers the global CVE program, which provides the human and technological infrastructure to reserve, publish, modify, and dispute CVEs.

Rapid7 continues to monitor both public and private discussions closely in its capacity as a CVE Numbering Authority (CNA) and as a longtime leader and participant in the CVE ecosystem.

How this could impact Rapid7 and our customers

Since funding has been extended for the next 11 months, there is no current impact. Rapid7 will continue to monitor the situation to ensure there is no future impact to our customers' ability to use our platform to accurately assess their environment for vulnerabilities.

Rapid7’s multi-layered approach to vulnerability detection, creation, and risk scoring means that our products are not completely reliant on any single source of information. This was something we pointed to last year, when we assured customers of our continued vulnerability coverage in the face of NIST’s National Vulnerability Database delays.

The importance of MITRE and the CVE Program

The CVE program is critical infrastructure for modern vulnerability identification, tracking, management, and resolution. CVEs are used for risk identification, commercial and open-source tooling, vulnerability management workflows, security and academic research, threat intel production, incident response, and many other applications worldwide.

Rapid7 thanks and supports the MITRE organization as well as the extended ecosystem of industry collaborators who have worked diligently for the past 25 years to ensure the CVE program's utility and integrity for the broader community.

We will continue to monitor the situation and will update this blog with any relevant developments. If you have any questions, please reach out.