MITRE’s role as the DHS-appointed administrator of the CVE and CWE programs came to an official close on April 16, 2025, following the expiration of its federal contract. Although temporary emergency funding has since been reinstated, the long-term outlook for both programs remains unclear. This development has understandably sparked concern across the cybersecurity industry, particularly regarding the reliability and continuity of widely relied-upon vulnerability tracking and management frameworks.
Understanding the Situation
The expiration of MITRE’s oversight contract could disrupt several key processes. It may affect how vulnerabilities are discovered, documented, and communicated across the cybersecurity landscape. Both the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs play a crucial role in global security operations. They provide a consistent structure for identifying and addressing software flaws. These frameworks play a vital role in enabling organizations to assess and mitigate risks.
Vendor-Based Continuity Through a Multi-Source Approach
Vulnerability management platforms such as Mend.io are built with resiliency in mind. Their multi-source threat intelligence approach allows them to maintain uninterrupted protection, regardless of developments in the CVE program. Mend.io continues to offer reliable and comprehensive coverage through diversified data sources and internal security expertise.
- Diversified intelligence sources. Mend.io’s security analysts perform daily reviews of vulnerability disclosures from a wide range of global advisory sources. The platform filters and ranks the most pertinent security threats, delivering timely WS vulnerability notifications to its users.
- Malicious package detection. The platform continues to identify and flag malicious packages using its own internal threat detection mechanisms, ensuring consistent vigilance.
- Integrated risk intelligence. By incorporating threat intelligence from multiple channels, the Mend.io platform delivers accurate risk insights that are not solely dependent on CVE identifiers.
Supporting Broader Industry Stability
Mend.io has expressed formal support for the newly established CVE Foundation, an initiative aimed at maintaining continuity for this essential cybersecurity infrastructure. As a vendor, Mend.io advocates for collaborative, industry-wide efforts to preserve the integrity and reliability of vulnerability databases that underpin proactive risk mitigation strategies for organizations worldwide.
Moving Forward Without Interruption
Customers using Mend.io’s platform can be confident in the continuity of their protection. Even as the broader industry adapts to changes in vulnerability governance, the platform’s expanding coverage sources and enhanced detection systems ensure robust, uninterrupted security.







