The security situation on the Internet is likely to worsen in the near future. This is due to a decision by the US government to cut funding for a central pillar of global IT security: the CVE database. If you rely on security updates from Apple, Microsoft, or other manufacturers, this directly affects you. Without up-to-date information about known vulnerabilities, it will be more difficult to detect and defend against new threats in a timely manner.
CVE stands for "Common Vulnerabilities and Exposures." It is a publicly accessible database that documents known security vulnerabilities in operating systems, applications, and devices. Each discovered vulnerability is assigned a unique CVE identifier so that developers, security teams, and even manufacturers speak the same language when it comes to patches and risks. The database helps problems be identified, shared, and fixed more quickly. CVE has now become a global standard. Almost every Apple security update references one or more CVE numbers. Google, Microsoft, and many Linux projects also work based on these entries. The database prevents duplication of work, helps security researchers collaborate, and is the most important source of reliable information about known vulnerabilities.
Financing expires – without clear explanation
On Tuesday, the non-profit organization MITRE Corporation announced that funding for the operation of the CVE database would expire – as early as the following Wednesday. MITRE has previously been responsible for maintaining the database. The funds came from the U.S. government, specifically from the Department of Homeland Security, which is responsible through the CISA (Cybersecurity and Infrastructure Security Agency). The so-called CWE (Common Weakness Enumeration) program, which catalogs vulnerability categories, is also affected by the cuts. CISA confirmed to Reuters that the contract is indeed expiring (via Reuters).
Unclear reasons and open questions about financing
However, it also stated that efforts are being made to minimize the impact. Whether the agency will take over the CVE database itself or finance it in the future remains open. No one has said specifically why the contract was canceled. However, it is suspected that cost-cutting measures as part of larger government measures may play a role. Some even suspect a connection to the so-called DOGE service, in which Elon Musk is involved and which is attempting to break new ground in public IT infrastructure through aggressive cost reductions.
Impact on software vendors and security teams
The consequences of the decision are immediately noticeable. Apple, for example, regularly uses the CVE database to check which security vulnerabilities have been discovered in iOS and macOS. Official update notes often include CVE IDs, allowing users and developers to track exactly which problems have been fixed. Without this basis, precise information about current risks is missing. This makes both the remediation and communication of security vulnerabilities more difficult. Security teams in companies and organizations around the world also rely on CVE. They base their vulnerability management on this database to test systems and respond quickly to new threats. Computer Emergency Response Teams (CERTs), i.e. national crisis response teams for IT security, lose their most important source of vulnerability information with the CVE database.
Reactions from the security industry
The news sparked widespread criticism in the security community. Jean Easterly, the former head of CISA, wrote on LinkedIn that the discontinuation of the CVE database could have serious consequences for national security and business risk. She compared the database to the Dewey Decimal System of cybersecurity: Without it, professionals like librarians would be working in a chaotic library, not knowing where to look. Easterly also warned of an increased risk of ransomware attacks, data breaches, rising security costs, and a potential loss of trust among consumers and regulators. Brian Martin, a computer vulnerability historian, spoke of an immediate cascading effect. Without CVE, global vulnerability management would be weakened, and companies would face significant disruptions to their security processes.
What you need to know as a user now
Even though the CVE database is a technical infrastructure, the cuts ultimately affect everyone who uses software—including you. Updates could be delayed, vulnerabilities remain undiscovered longer, and the likelihood of becoming a victim of a cyberattack increases. While you can't stop the development, you can adapt your behavior:
- Keep your software consistently up to date
- Use security software with active threat detection
- Follow news about new security issues, e.g., via specialist portals or security blogs
- If you develop or manage software yourself, pay particular attention to alternative vulnerability sources and increased testing intervals
CVE database: The cybersecurity world is looking for alternatives
The CVE database is a central tool for global cybersecurity. The sudden termination of its funding poses a significant risk to users, companies, and entire countries. As long as a clear successor isn't identified, many questions remain unanswered—especially how security updates can be implemented quickly and accurately in the future. The industry must now find new ways to fill this information vacuum in the short term. Until then, the key is to remain vigilant, take updates seriously, and rely on reliable security sources. (Photo by Unsplash+ / Getty Images)
- Apple improves child safety: New protection measures in 2025
- Protect yourself from phishing attacks: everything you need to know
- Tip: How to protect your Apple ID from phishing attacks
