Snyk’s Statement on the MITRE CVEs Program Funding Update

Over the past several days, the cybersecurity community has watched closely as uncertainty swirled around the future of the MITRE-run CVE (Common Vulnerabilities and Exposures) program following a letter to its board of directors that its federal funding could abruptly end. As of this blog posting, news outlets like Reuters are reporting that a last-minute extension has been granted, providing temporary relief. All that to say, we cannot ignore how important the CVE system has become to modern cybersecurity. This situation has underscored a critical need for resilience and redundancy across the vulnerability disclosure ecosystem.

At Snyk, we’ve spent a great deal of time anticipating scenarios like this. Since our beginnings, Snyk has maintained and curated our own triaged vulnerability database – built not only to reduce false positives but also to capture emerging threats that may never receive an official CVE designation. Over the past two years, we’ve observed a slowdown in CVE issuance from MITRE, which has only reinforced the importance of having internal capabilities to identify, validate, and track vulnerabilities independently.

We want to reassure our customers and partners that there is no immediate impact to Snyk’s services or vulnerability data as a result of this situation. As a CVE Numbering Authority (CNA), we also have the ability to assign CVEs ourselves, and we remain fully committed to supporting a transparent and open vulnerability disclosure process.

If federal funding for the MITRE CVE program were to be discontinued in the future, we stand ready to collaborate with industry peers, nonprofits, and government stakeholders to ensure continued support for the global cybersecurity community. Snyk has already offered to participate in any collective efforts to maintain or transition critical vulnerability infrastructure, should that become necessary.

Ultimately, this moment serves as a reminder of why resilience, proactive monitoring, and investment in open security data are so essential. We remain dedicated to delivering the most comprehensive and actionable vulnerability intelligence to developers and security teams everywhere – no matter how the broader security landscape evolves.