Uncertainty Clouds Future of Software Vulnerability Tracking

🕐 Estimated read time: 8 minutes

What’s the Point of Finding Vulnerabilities If Nobody Checks for Them?

Imagine a world where fire alarms exist, but no one listens to them. That’s what cybersecurity looks like when vulnerabilities are discovered but never cataloged — or worse, never scanned for.

Now imagine that the institution responsible for maintaining the global vulnerability dictionary — the MITRE CVE Program — might lose funding.

Yeah. Welcome to 2025.

The MITRE CVE System: Why does It matter ?

For decades, MITRE’s CVE (Common Vulnerabilities and Exposures) program has acted as the global index for known software vulnerabilities. From the infamous CVE-2021-30860 (aka FORCEDENTRY) to the CVE-2020-0022 (aka BlueFrag) — CVEs are how we know what to fix, track, and scan.

The CVE database powers:

• SIEM alerting (Security information and event management)

• Vulnerability scanners

• SBOM tools (Software Bill Of Material)

• Threat intelligence feeds

• And basically every SOC (Security Operations Center) triage

So when rumors began circulating in late 2024 that CISA (Cybersecurity and Infrastructure Security Agency) might pull or restructure MITRE’s funding, alarm bells went off.

As of early 2025, MITRE is still maintaining CVE, but the future is uncertain unless a new funding line is locked in.

If MITRE Drops Out, What’s Next?

We can’t afford a vulnerability vacuum. So who's lining up to fill the gap?

• ENISA (European Union Agency for Network and Information Security)

  • Could introduce fragmentation if not synced with global identifiers

• Google’s OSV (Open Source Vulnerabilities)

  • Focuses on OSS — no coverage for proprietary enterprise apps or embedded systems

• Industry-Specific CNAs (back to the 90’s)

  • No central coordination = chaos for scanners, asset management, and patching

A non-profit organization like a CVE Foundation could be the best option.

The Real Problem Isn’t Just Losing MITRE

You can publish all the CVEs you want. You can set up a GitHub advisory, scream on X...

But if organizations don’t continuously scan their applications against these vulnerabilities, none of it matters.

🚨 Knowing about CVEs is not security. Acting on them is.

What We Should Be Doing?

• Automate Continuous Scanning using automated SCA (Software Composition Analysis) tools

• Use SBOMs to correlate installed software with known CVEs

• Monitor Multiple Feeds - don’t rely on MITRE CVE alone