Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation.
Background
The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As the situation continues to evolve, we will continue to provide updates as new information is released.
FAQ
What is the current status of the MITRE CVE Program?
As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. In a post and update to their website, CISA confirmed the extension, and a spokesperson added that they “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
When did CVE Board Members find out about the expiration of the MITRE CVE Program and other related programs?
CVE Board members received a notification from MITRE on April 15, 2025. This notification was circulated on social media and picked up in news articles. Tenable published a blog post about the forthcoming expiration and updated it on April 16 upon news of the subsequent renewal.
What is the importance of the CVE Program?
The CVE Program provides the industry with a common identifier used for identifying vulnerabilities which in turn allows the industry to fully track all affected products, remediations, tactics, techniques and procedures (TTPs) and risk measurements for a vulnerability. Without this we run the risk of being unable to accurately map active exploitation and associated risk to that vulnerability.
One important function that the CVE program serves is to operate as a CVE Naming Authority (CNA) of last resort, particularly when there are disputes over CVE issuance. This helps to minimize conflicting reports and duplicate records.
What is the value of having a CVE Naming Authority (CNA)?
The CVE Program enables various entities to become a CNA. The CNA program allows vendors, researchers, open source developers and others to reserve and assign CVEs while providing information about a vulnerability. Currently there are over 450 CNAs that participate in the CVE Program.
What is Tenable’s relationship with the CVE Program?
Tenable is a CNA within the CVE Program and, as such, issues CVEs for its own products and vulnerabilities in other products discovered by its research team for which there is no CNA.
What about the announcements of efforts from the CVE Foundation and GCVE?
On the morning of April 16, 2025, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”
Additionally, we are aware of other efforts being launched, including the Global CVE (GCVE) allocation system by the Computer Incident Response Center Luxembourg (CIRCL). According to their FAQ, GCVE is a “decentralized system for identifying and numbering security vulnerabilities.” The GCVE site notes that existing CNAs can become GCVE Numbering Authorities (GNAs) and would have autonomy to define their own policies for the identification of vulnerabilities.
Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more.
How is Tenable impacted by the interruptions to CVE issuance at both MITRE and the National Vulnerability Database (NVD)?
With uncertainty around interruptions to the CVE Program, Tenable has reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products.
Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.