Automox’s Response to the CVE Program News

The Common Vulnerabilities and Exposures (CVE) program — one of the most relied-upon pillars in cybersecurity — faced uncertainty yesterday as MITRE, the nonprofit research organization that has maintained the CVE database for over two decades, announced that its contract with the Department of Homeland Security (DHS) was set to expire on April 16, 2025.

Although funding has been extended to the NVD via CISA, its long-term direction and operational consistency remain to be seen.

The CVE system assigns unique identifiers to publicly known cybersecurity vulnerabilities. These IDs allow security teams to coordinate patches, prioritize threats, and align their defenses across tooling and organizations. CVEs serve as the connective tissue for vulnerability management platforms, cyber threat intelligence tools, and security operations centers globally.

Without timely and accurate CVE records, IT operations and cybersecurity professionals may struggle to:

• Track and categorize new vulnerabilities

• Score risk and prioritize patching effectively

• Maintain compliance with vulnerability disclosure standards

Automox issued the following statement from CISO/SVP of Product Jason Kikta:

“Automox’s CVE data has always been populated by a mix of VulnCheck and NVD. Regardless of CISA’s announcement this morning that it will execute the contract option to continue funding MITRE, Automox is accelerating migration to VulnCheck as its primary source of CVE data.. This ensures continuity of vulnerability intelligence and minimizes risk to patching and remediation workflows.”

VulnCheck, an active CNA and provider of real-time vulnerability intelligence, has publicly committed to maintaining CVE issuance and has already reserved 1,000 CVEs for 2025. Their full statement can be found here. Additionally, as a CNA, Automox has reserved 10 CVEs for our product in case the industry faces further disruption.

1. Assess CVE data dependencies. Evaluate whether existing security tools rely solely on MITRE or NVD data. Understand which vendors have built-in redundancy or alternate data sources.

2. Monitor trusted sources. Keep tabs on statements from CISA, MITRE, and reliable private entities like VulnCheck for updates on CVE continuity.

3. Plan for redundancy. As this event illustrates, centralization has risks. Consider integrating threat intelligence and vulnerability data from multiple providers to improve resilience.

The potential disruption of the CVE program is a wake-up call. Vulnerability intelligence is foundational to proactive defense, and organizations that rely solely on government-maintained infrastructure may be at risk.

Forward-thinking vendors are already migrating to modern, flexible intelligence providers. However, the NVD remains a critical dependency for global cybersecurity. The goal remains the same: to ensure vulnerabilities are identified, prioritized, and remediated without delay.

For those who depend on timely and accurate vulnerability data, now is the time to reevaluate sources and fortify workflows.

• Reuters - US Agency Extends Support for Cyber Vulnerability Database

• The CVE Foundation

• VulnCheck - Supporting the CVE Program

• Automox CVE Numbering Authority Announcement

• CISA Secure by Design Updates - Automox's broader commitment to security transparency and industry standards

• Patch Management Best Practices - Patching best practices that remain critical regardless of CVE data source

• Best Way to Handle Patch Tuesday - CVE data drives Patch Tuesday prioritization; ensure your workflow is resilient