$90M Saved. Bureaucracy Cut. CVE Still Alive.
MITRE lost its grip, the government saved $90 million, and CVE didn’t die, it evolved. The so-called “planned transition” was a last-minute scramble that proves bureaucracy was the bottleneck all along.
Yesterday, the U.S. government officially cut ties with MITRE’s CVE program a move that mainstream media immediately labeled reckless. MITRE warned of global cybersecurity chaos. Experts wrung their hands. And the newly formed "CVE Foundation" released a carefully worded press statement trying to calm the storm, claiming this transition was “a year in the making.”
But that’s a lie.
A year of planning? Then why did they only register their domain on April 15, 2025, at 23:41 UTC less than one day before the funding expired?
Not only that, but the site itself, thecvefoundation.org, didn’t go live until April 16 at 08:09 UTC hours after the funding had already lapsed. The domain was dark right up until go time. There’s no archival trace of earlier versions, no evidence of prep. Nothing.
If this was a transition, it was the kind where someone sets the house on fire and bolts out the back door with a blueprint scribbled on a napkin.
Zac Koch (@zackoch) called it out in real time. He pointed to the WHOIS data, the absence of any prior posts, and the last-minute launch, saying what a lot of us were thinking: This wasn’t proactive. This was reactive. His public thread skewered the "we've been working on this for a year" narrative with surgical precision.
I don't buy it!
— Zac (@zackoch) April 16, 2025
Tl;Dr: [@]bitwatcher (I think, yikes on the zero posts for two years...) and team haven't actually been spending a year preparing for this and instead appear to be being reactive... 🙄
And he’s not wrong. The CVE Foundation’s own materials claim long-term planning. But nothing about this was long-term. If anything, it shows how deeply dependent MITRE was on government funding and how unprepared they were for the moment it got pulled.
Which brings us to the real story: cutting funding was the right move.
Bureaucracy Was the Problem
MITRE held onto CVE for over 20 years, running it under federal contract and raking in taxpayer dollars for something the cybersecurity industry now admits could and should be community-driven.
This entire situation unfolded because the Trump-era Department of Government Efficiency (DOGE), influenced by cost-cutters like Elon Musk, pushed back on entrenched federal bloat. In doing so, they saved an estimated $90 million in the process.
Sources like SecurityWeek and CSO Online confirm that MITRE lost multiple contracts totaling over $28 million in early April, resulting in 442 layoffs. CVE was simply one casualty among many but it was the one that got the most press.
And yet… once the money stopped flowing, MITRE miraculously found the motivation to act. Not before.
They were never going to build a new system on their own. They were content to coast on taxpayer funding, issuing CVEs as a contractor for a bloated federal agency (CISA). Only when the faucet was turned off did innovation kick in.
This proves the point: government dependency stifles evolution. Cut the cord, and suddenly things happen. Fast.
So, What Now?
The CVE Foundation says it will ensure the future of vulnerability tracking. That’s a good thing. But let’s be honest about how we got here:
- There was no plan. The evidence is overwhelming.
- They were caught off guard, despite pretending otherwise.
- The private sector picked up the slack, with VulnCheck reserving CVE blocks and the community filling gaps MITRE should’ve closed long ago.
- Taxpayers won with less waste and more accountability.
The federal cybersecurity apparatus was never built for speed. It was built to entrench itself. This moment, awkward and embarrassing as it is for the old guard, represents something rare: forced innovation.
