For the countless organizations that have relied on CVEs and the National Vulnerability Database (NVD) to support vulnerability management and cyber-risk management programs, the past few weeks have been a white-knuckle ride.
That started with an announcement on April 2 by the National Institute of Standards and Technology (NIST) that it would defer enrichment of all Common Vulnerabilities and Exposures (CVEs) in the NVD published before January 1, 2018, sparking concern from application security (AppSec) teams.
Then came the surprising letter from the nonprofit corporation MITRE on April 15 that its contract with the U.S. Department of Homeland Security to run the CVE program would expire on April 16, preventing the organization from maintaining DHS’s CVE program as it has for more than two decades.
Amid rising concern from cybersecurity experts, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday responded to MITRE’s letter, announcing that it had executed an option to extend the government’s contract with MITRE for 11 months to ensure there will be no lapse in critical CVE services — at least for the time being. "We appreciate our partners’ and stakeholders’ patience,” a CISA spokesman said.
[ Download: 2025 Software Supply Chain Security Report | See the SSCS Report Webinar ]
CVE news rattles cyber community
The letter from MITRE about the impending end of its work overseeing CVEs roiled the security community. Roger Grimes, a defense evangelist at the security awareness training provider KnowBe4, praised the move by DHS to extend its MITRE contract but said questions about its future still need answers.
"I'm glad it is being funded. Now the question is, 'Is it being funded at the same level, less, or even better?' Because the program has always had a ton of deficiencies for years that the community has been hoping could be improved."
—Roger Grimes
Grimes said the CVE program has been running on a shoestring budget for years, "hanging on by a thread, ready to collapse in usefulness at any minute."
What you need to know about CVE deferment
Evidence of that was NIST’s announcement on April 2 that it would defer enrichment of all CVEs in the NVD published before 2018. In its statement, NIST said that it is assigning the status of “deferred” to older CVEs in order to “indicate that we do not plan to prioritize updating their enrichment data due to the CVE’s age.”
Enriching CVEs is a critical part of the NVD's mission, and it's especially important to organizations with a vulnerability-centric approach to security. Enrichment provides data to enable organizations to prioritize their remediation efforts. Since security tools are often integrated with the NVD, enriched CVEs can enable better automation for vulnerability detection and patch management.
CVEs marked by NIST as “deferred” will display a banner on their detail pages indicating this status. They may still be enriched and updated by NIST, should the agency receive requests to do so that it deems “appropriate” and — critically — should NIST’s “time and resources allow" it to do so, NIST said in a statement.
The move by NIST to mark older CVEs as deferred is not a surprise given the enormous task that the management of vulnerabilities has become, with the number of apps and associated vulnerabilities exploding in 2025, said Ken Dunham, cyberthreat director of the threat research unit at Qualys.
"Management of vulnerabilities is complex when you consider the diversity and depth of scale that we have in 2025, with most larger organizations having hundreds to thousands of apps and associated patches across legacy, cloud, and mobile infrastructure, with various dependencies."
—Ken Dunham
And, while NIST’s attempts to refocus scarce resources on emerging threats makes sense from a threat perspective, the decision is a calculated trade-off, said Jason Soroko, senior vice president of product at Sectigo.
"It minimizes noise and boosts focus but leaves risk mitigation for legacy systems squarely in the hands of individual organizations."
—Jason Soroko
The time for change is now
The message for organizations concerned about the uncertainty of resources such as CVEs and the NVD is clear: Embrace the change. For example, Durham recommended that organizations take immediate action in the wake of the April 2 NIST decision to manage and prioritize their own cyber risks, especially for high-value assets and any assets with increased exposure to an attack surface. "Exploitation often occurs amongst more moderate and older vulnerabilities still in production, requiring more complex patching priorities for organizations to manage vulnerability risk, ranging from zero days and emergent risk to long-term likely exploitation from persistent actors," Dunham said.
Organizations that wish to address their threat and vulnerability management needs will need a strong program for threat and vulnerability patch management, along with a strong configuration management database, validation of successful patching. KPIs and metrics, risk-based prioritization, and holistic SecOps, he said.
Soroko said defensive security teams should not rely solely on external databases but instead should actively identify legacy systems and deferred vulnerabilities within their own environments. That includes prioritizing patching of legacy systems where feasible, enforcing system hardening, and isolating or segmenting older systems to minimize their exposure to threats.
In addition, organizations running legacy hardware and software should prioritize the use of real-time threat intelligence to help pinpoint when attackers target deferred CVEs and other weaknesses, allowing teams to act swiftly, he said.
NIST said that with its deferment update, it will prioritize any CVEs that are added to the Known Exploited Vulnerabilities (KEV) catalog regardless of status. The KVE, maintained by CISA, is an authoritative source of information about vulnerabilities that have been actively exploited in the wild.
While it may be concerning to see older CVEs, particularly those associated with prominent vulnerabilities, deferred and given a lower priority, the reality is that the CVE remains in the NVD, with a recognition that updates to older CVEs are less frequent.
Get off of the vulnerability hamster wheel
Policy experts said the changes to DHS’s CVE program come at a tricky time.
The number of CVEs is growing at an astonishing rate, while the resources available to analyze those CVEs are not, said Atlantic Council senior fellow Shane Miller.
“The number of reported CVEs is growing because of both the increasing rate of software development and increasing pressure to publicly report security vulnerabilities. The number of software developers worldwide grew by 45% in the last two years, from 26.8 million to 38.9 million. That’s 12 million more people creating and reporting software security vulnerabilities in just two years.”
—Shane Miller
That firehose of disclosed software vulnerabilities can act as a noisy distraction for security teams, with serious supply chain security gaps overlooked, experts stress. That's because chasing vulnerabilities is essentially a reactive exercise. A lot of time is spent patching software that might be better spent trying to address software supply chain threats before they manifest themselves.
Upgrade your AppSec strategy and tooling
A better approach to software supply chain security is to employ next-generation technologies such as complex binary analysis and reproducible builds to complement traditional AppSec testing tools such as static and dynamic application security testing (SAST and DAST), as well as software composition analysis (SCA).
The Enduring Security Framework, a public/private working group led by the National Security Agency (NSA) and CISA, has called for the use of binary analysis and reproducible builds to identify and manage risk. These more modern tools produce actionable threat information about the software and services deployed within IT environments. That includes the presence of active malware; evidence of software tampering; the absence of application hardening; and secrets exposure. This strategy makes security teams more proactive in their quest to mitigate risk.
In contrast, SAST and DAST typically apply only to a small subset of internally developed systems and applications at many organizations, said Saša Zdjelar, chief trust officer at ReversingLabs. He said the recommended use of binary analysis and reproducible builds marked a significant step forward in ensuring better software supply chain security
"Our ability to analyze binaries is key to understanding risk in third-party software."
—Saša Zdjelar
New groups emerge to shore up CVEs
Finally, the uncertainty about the future of the CVE program may have a silver lining: the emergence of new governmental and nonprofit groups committed to maintaining the CVE system.
The same day MITRE’s letter was generating headlines, the CVE Foundation, a not-for-profit group, announced that it was waiting in the wings to take over administration of the CVE program.
The foundation, which describes itself as a “coalition of longtime, active CVE Board members” has been working over the past year to develop "a strategy to transition CVE to a dedicated, non-profit foundation” with the sole focus of “continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
Even as the CVE Foundation was declaring its willingness to take over management of CVEs, two European Union-based alternatives to the traditional MITRE-led CVE system sprang into action.
ENISA, the EU cybersecurity authority, unveiled the EU Vulnerability Database (EUVD), which the agency had been testing in preparation for a formal unveiling, according to a report by Heise Online. At the same time, CIRCL (the Computer Incident Response Center) Luxembourg, the CERT for that small EU nation, unveiled the "Global CVE Allocation System" (GCVE.eu), a decentralized alternative to the NIST-MITRE CVE numbering system.
In contrast to MITRE’s traditional numbering approach, CIRCL’s GCVE adds an extension for independent “GCVE numbering authorities,” or GNAs, to issue unique identifiers without needing to coordinate with one another — something the traditional CVE numbering system with its sequential identifiers does not permit. The new system is designed to improve “flexibility, scalability, and autonomy for participating entities,” CIRCL said.
The rapid developments suggest big shifts lie ahead for security teams and cybersecurity vendors alike — and underscore the continuing relevance of a standardized vulnerability tracking system.
Kent Landfield, an officer of the CVE Foundation, said in a statement on the group’s website that the as a cornerstone of the global cybersecurity ecosystem, the CVE is "too important to be vulnerable itself.”
“Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work. …Without CVE, defenders are at a massive disadvantage against global cyberthreats.”
—Kent Landfield
Learn more about how gaps in the CVE are leaving organizations exposed in ReversingLabs' 2025 Software Supply Chain Security Report.
