Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal

With growing concerns about the future of the MITRE CVE Program continue to circulate, the Tenable Security Response Team has created an FAQ blog to help provide clarity and context around this developing situation. 

As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. Prior to this announcement, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”

With uncertainty around interruptions to the CVE Program, Tenable proactively reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products. Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.

Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more. For more information, please visit our blog.