The cybersecurity world faces a potential crisis as funding for the MITRE Common Vulnerabilities and Exposures (CVE) program has expired. This program is critical for identifying and tracking software vulnerabilities, and its disruption could have serious consequences for the fintech sector. This article will explore the implications of this funding lapse and what it means for financial institutions and fintech companies.
The importance of the CVE program
The CVE program, managed by the non-profit organization MITRE, acts as a universal identifier for software flaws. Each vulnerability is assigned a unique CVE ID, which is used by security researchers, vendors, and organizations worldwide to track and address cybersecurity threats.
Jen Easterly, former director of the U.S. Cybersecurity and Infrastructure Security Agency (Cisa), emphasized the program’s importance, stating that losing it would create chaos and leave defenders vulnerable.
The funding crisis
MITRE has warned that the U.S. government funding for the CVE program expired on April 16, 2025. This has created uncertainty about the program’s future, as there is no immediate backup plan in place.
Yosry Barsoum, vice president and director at MITRE’s Center for Securing the Homeland, highlighted the potential impacts of a service disruption, including the deterioration of vulnerability databases and advisories, and the disruption of incident response operations.
Impact on the fintech sector
The financial sector, with its reliance on complex software and interconnected systems, is particularly vulnerable to cybersecurity threats. Any disruption to the CVE program could have severe consequences for fintech companies and financial institutions, including:
-
Increased risk of cyberattacks
Without a centralized system for tracking vulnerabilities, it becomes more difficult to identify and patch software flaws, increasing the risk of exploitation by cybercriminals.
-
Slower incident response
Delays in vulnerability identification can slow down incident response efforts, giving attackers more time to cause damage.
-
Increased compliance costs
Financial institutions face strict regulatory requirements related to cybersecurity. A disruption to the CVE program could make it more challenging and costly to maintain compliance.
Industry response and the way forward
In response to the funding crisis, the cybersecurity community has stepped up to find solutions.
-
CVE foundation
A group of CVE Board members has launched the CVE Foundation, a non-profit organization, to ensure the program’s long-term sustainability and independence.
-
VulnCheck’s support
Vulnerability intelligence firm VulnCheck has pledged to support the CVE program by offering its reporting service and continuing to assign CVEs.
CISA has also stepped in and extended funding to ensure that there are no continuity issues with the CVE program.
The potential disruption to the CVE program highlights the importance of collaboration and resilience in the cybersecurity community.
As the fintech sector faces increasing cyber threats, it is crucial to maintain a robust and reliable vulnerability management system. The establishment of the CVE Foundation and the support from companies like VulnCheck are positive steps towards ensuring the long-term health of the CVE program and the security of the financial industry.
