In what appears to be the latest move in this administration’s total incompetence with regards to critical government tech infrastructure, MITRE announced yesterday that funding had run out for the Common Vulnerabilities and Exposures (CVE) system, the fundamental framework that basically everyone in cybersecurity relies on to keep computer systems safe. After the entire cybersecurity world freaked the fuck out, one of the remaining unfired people at the the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that they had extended the funding for another 11 months.

But just the fact that it came literally hours away from shutting down is both terrifying and a real sign of how totally incompetent and clueless the administration is, and how they’re putting everything at risk by just totally YOLOing all sorts of critical projects.

If you’re unaware of the CVE system, as former CISA director Jen Easterly explains, imagine if someone suddenly deleted the Dewey Decimal System and expected librarians to still be able to find books. Now, make it so every bit of computer security that you depend on relies on librarians being able to accurately find the necessary books as quickly as possible, and you just scrambled the entire organization system with effectively no warning.

That’s exactly what’s almost happened, as evidenced by this alarming letter from MITRE:

If you can’t see that, it says:

April 15, 2025

Dear CVE Board Member,

We want to make you aware of an important potential issue with MITRE’s enduring support to CVE.

On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire. The government continues to make considerable efforts to continue MITRE’S role in support of the program,

If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.

MITRE continues to be committed to CVE as a global resource. We thank you as a member of the CVE Board for your continued partnership.

Sincerely,

Yosry Barsoum

VP and Director

Center for Securing the Homeland (CSH)

Security and privacy researcher Lukasz Olejnik puts it bluntly: losing CVE means “total chaos, and a sudden weakening of cybersecurity across the board.” The consequence will be a “breakdown in coordination between vendors, analysts, and defense systems — no one will be certain they’re referring to the same vulnerability.”

This isn’t hyperbole. According to Forbes, security teams had to scramble to figure out how to function without this vital infrastructure:

Greg Anderson, CEO and founder of DefectDojo, voiced what many in the community are feeling: “MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place.”

Anderson added a sobering thought experiment: “If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.”

Cool cool.

We mentioned Easterly’s comment about the Dewey Decimal System above, but it’s worth reading her full post as she has explained the problem in simple-to-understand terms for those not in the cybersecurity field:

Think of the CVE system like the Dewey Decimal System for cybersecurity. It’s the global catalog that helps everyone—security teams, software vendors, researchers, governments—organize and talk about vulnerabilities using the same reference system. Without it:

— Everyone is using a different catalog or no catalog at all

— No one knows if they’re talking about the same problem

— Defenders waste precious time figuring out what’s wrong

— And worst of all, threat actors take advantage of the confusion

Just like librarians trying to find a book in a disorganized library, cybersecurity professionals would be trying to defend your systems without knowing exactly what the threats are or where to find them.

For an administration that loves to talk about national security and claims to have Elon Musk as its “tech support,” its actions tell a different story. After dismantling important technical know-how and stripping away cybersecurity expertise, letting CVE’s funding lapse represents something even more dangerous: demolishing the very infrastructure that keeps our systems secure.

The fact that CISA came through at the last minute with more funding to keep CVE alive is better than letting the system collapse, but it’s still horrifying. The entire cybersecurity world had to spend much of yesterday trying to figure out contingency plans and work out what the fuck to do about all of this.

The fact that the administration let it get to this point — where a system this fundamental to global cybersecurity could vanish overnight — demonstrates an administration that isn’t just incompetent, but recklessly destructive. They’re not just failing to understand the consequences of their actions — they’re failing to even recognize there might be consequences worth understanding.

From Techdirt via this RSS feed