MITRE CVE Program Uncertainty: Mend.io’s commitment to uninterrupted vulnerability protection

As many of you may know, MITRE’s DHS contract to manage the CVE and CWE programs expired on April 16, 2025. While emergency funding has since been restored for a short time, the long-term future of these programs still remains uncertain. Understandably, this situation has raised concerns throughout the cybersecurity community about the stability and continuity of vulnerability tracking and management systems that many organizations have come to rely upon.

Understanding the situation

The potential expiration of MITRE’s contract could impact how vulnerabilities are identified, tracked, and communicated across the industry. The Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs have become foundational elements of security operations worldwide, providing a standardized framework for naming and addressing vulnerabilities. These frameworks enable organizations to understand and mitigate risks.

Mend.io’s multi-source approach ensures continuity

We want to assure our customers that our vulnerability coverage is robust, comprehensive and unaffected even in the face of these potential changes. Our commitment to security remains.

• Diversified intelligence sources: Our security team conducts daily reviews of vulnerabilities published across numerous advisory sources worldwide. We carefully analyze and prioritize these findings, selecting the most critical and relevant vulnerabilities to issue directly to our customers as WS vulnerabilities. 
• Continuous malicious packages detection: We will continue to identify and report on malicious packages through our established processes, maintaining the same level of security vigilance you rely on.
• Risk intelligence integration: The Mend platform integrates threat intelligence from various sources to provide accurate risk assessments that aren’t dependent solely on CVE assignments.

Supporting industry stability

Mend.io has formally expressed interest in supporting the newly formed CVE Foundation, which aims to provide continuity for this critical infrastructure. Our organization believes in contributing to industry-wide solutions that maintain the stability of vulnerability tracking systems, which are essential for identifying, cataloging, and mitigating security risks that could impact users and organizations alike. 

Moving forward without interruption

Our customers can remain confident that our protection capabilities will continue without interruption, even as the industry adapts to these changes. We’re actively broadening our vulnerability coverage sources and enhancing our detection systems to ensure comprehensive protection regardless of changes to the CVE program as it is now.

As the situation evolves, we’ll be updating our customers. And as always, our Support Team is available to address any specific concerns you may have.