This is an update with regards to a development within the cybersecurity industry concerning the Common Vulnerabilities and Exposures (CVE) program – the database where new vulnerabilities are registered and classified that are then used to underpin security assessment and vulnerability management (VM) programs.
The U.S. government contract, funding MITRE Corporation to operate and maintain the CVE program expired on Wednesday April 16 2025. This funding has traditionally been provided by the Department of Homeland Security (DHS), specifically through the Cybersecurity and Infrastructure Security Agency (CISA). Earlier today it was announced that with the funding not being reviewed the CVE service was in doubt. Subsequently news has been released that this deadline has been extended. It is unclear currently the details of the extension, or how long it will last.
So what does this mean for your security with Sapphire?
Reinforcing Resilience: This situation highlights need for resilience in security data, the inherent security and confidence required to make informed security decisions. We have always designed our security monitoring and vulnerability management to be resilient, utilising multiple, diverse sources of threat intelligence, including direct vendor advisories, and open-source feeds such as the National Vulnerability database (NVD), CISA Known Exploit Vulnerabilities (KEV) database, Malware Information Sharing Platform (MISP). We are not reliant on any single source, and we encourage all our clients to follow similar steps regardless of what services you have or who provides them.
Next Steps:
Sapphire’s recommendation at this stage is to keep a watching brief on the CVE funding and ensure that you draw from a wide range of sources when making risk-based vulnerability decisions. The extension of the funding deal should see continuity of vulnerability registrations within the CVE database and therefore continued updating of VM tooling that you rely upon.
Your security remains our highest priority. We have built resilience into our operations for situations like this and we will continue to provide you with the services you have come to expect from us.
If you have any questions, concerns or simply want some advice please contact your account manager or our support team on 0845 58 27001.
