The MITRE Thing was a wake-up call

April 15–16, 2025 was kind of a rough couple of days for the infosec community, because MITRE almost lost funding for much of the CVE and CWE programs^[1]. The CVE (Common Vulnerability Enumeration) program run by MITRE underlies the National Vulnerability Database (NVD) that is core to a great many compliance requirements, including the US Federal Government's FedRAMP program.^[2]

And most of what people freaked out about was the potential loss of the CVE program's database of vulnerabilities. And that's kind of a problem.

The wake-up call we needed was not "MITRE has this big database of vulns, maybe we should have an alternative". Lots of vendors and public services keep backups and provide access to MITRE's data. After all, MITRE makes it extremely easy to do that. The wake-up call is that far too many people don't understand what MITRE does.

The CVE program isn't just a database. MITRE coordinates and manages multiple organizations (called CVE Numbering Authorities, or CNAs) that issue the CVE advisories themselves, as well as serving as a public CNA themselves. If you're an independent security researcher, you probably report the vulnerabilities you discover to MITRE. If you're a smaller but responsible software company, you report vulnerabilities you've patched to MITRE. If you're a larger org, or one with a security research function, yoy might issue a CVE advisory yourself—but you still report that to MITRE.

The end result is a comprehensive, mangaged, and coordinated data set of reported vulnerabilities. Security vendors rely on this dataset even when they also have their own advisory systems. Almost every organization in the US—not to mention many across the world—relies at least in part on MITRE's CVE program and data to help them make security decisions and keep their customers safe. The US government relies on MITRE's CVE program to ensure that federal contractors protect government data. Which is often sensitive citizen and resident data.

The response from the community seemed to largely focus on the database going away. I get it, that's how most of us are used to interacting with the CVE program. But this isn't a hosting problem—the need MITRE fills with CVE is more about the coordination and management than it is about the data. MITRE is a non-profit, independent, trusted entity. That's why the US government funded the CVE program through them. That's an astonishingly hard thing to duplicate, and we can't trust for-profit vendors with it.

There's also the CWE program, which was largely ignored. And that concerns me as well. The CWE (Common Weakness Enumeration) system is a research-backed taxonomy for software flaws. It's really under-appreciated. The CWE program categorizes programming and configuration errors in ways that help savvy organizations deliver safer software by idenitifying patterns in the mistakes organizations make when producing, deploying, and operating software. And we almost lost this as well.

And like CVE, the CWE project is not just about the data—it's also about the coordination and governance that ensures that taxonomies aren't owned by some well-funded vendor at the expense of public safety and security.

Almost losing these programs over politics that place imagined "efficiency" over the safety ans security of both government information systems and private organizations should be a wake-up call. Maybe it's time to make sure we don't rely on the US government to fund MITRE. Maybe it's time for industry to create an endowment to ensure MITRE's CVE and cWE are funded, and to ensure that global alternatives (like gCVE)^[3] get adoption as well.

What MITRE does is to important to leave to political whims. And that means making sure it can remain independent and that we have backup plans for more than just the database.