Safeguarding Vulnerability Management Despite MITRE Funding Risks

Recently, there have been several developments from vulnerability databases that have led to some concerns around their continued effectiveness in categorizing and enriching the data about vulnerabilities.

The MITRE CVE program has been an essential part of cybersecurity for over 25 years. It provides a consistent and standardized way to identify and track vulnerabilities and exposures in software and systems. It serves as a central hub, providing a key database that countless organizations depend on for critical vulnerability information. However, with the possibility of its funding running out, there are growing concerns about the program’s future and its ability to continue supporting the cybersecurity community.

In addition, the National Institute of Standards and Technology (NIST) announced they would categorize vulnerabilities with a publish date prior to January 1, 2018, as “Deferred.” That status means that they will not add enrichment data to them. However, simply because a vulnerability is older does not necessarily mean that it is low risk. For organizations that rely on NIST’s CVSS scores and the enrichment data from NIST to prioritize their remediation, this is a major concern.

Even with the NIST status change and if MITRE should face challenges, Qualys, backed by 120+ white‑hat researchers and more than 25 threat‑intelligence feeds, builds detections directly from vendor advisories—not solely relying on MITRE. As a result, customers experience zero delay or degradation in signature quality.

Committed to Helping the Cybersecurity Community

These public databases offer the cybersecurity community a common language for risk and an unprecedented level of cohesiveness and clarity. As such, they have been invaluable in helping everyone maintain higher levels of security. We believe in the power of these entities and their great work. That is why Qualys is committed to supporting MITRE and the wider security community, and we are actively collaborating with industry partners to identify and pursue sustainable funding options that will help maintain MITRE’s vital work.

How Does Qualys’ Vulnerability Coverage and Risk-Based Prioritization Keep You Covered?

As noted above, even with the recent developments, Qualys customers will not experience any impact. Here’s why:

Multiple independent data sources: We already base detections on vendor and CNA advisories, CERT bulletins, opensource security feeds, and our own research—not CVE.org.

Fallback identifiers: Where a third-party CNA can’t publish a CVE, we ingest their advisory anyway and map it to a QID, then auto-reconcile the moment an official CVE appears.

QIDs continue to flow—new detections are added using an official CVE or a temporary placeholder. Once CVE.org or its alternative is back online, all IDs and metadata are automatically normalized, and no action from Qualys customers is required.

To illustrate, consider the recent vulnerability of CVE-2025-3619, a critical Heap buffer overflow vulnerability in Google Chrome’s Codecs, identified on April 15, 2025. Despite not being listed on CVE.org or NVD yet, Qualys has already provided detection through QID 383098, enabling our customers to promptly assess and mitigate the risk. This demonstrates our commitment to maintaining comprehensive vulnerability coverage through diverse data sources and proactive research.

The Qualys Threat Research Unit (TRU) will continue to push clear patch recommendations based on vendor advisories and prioritization guidance using various threat intelligence feeds, ensuring customers always know which fixes to deploy—regardless of any CVE feed delays.

In addition, Qualys demonstrates its commitment to having customers’ backs through the launch of the Qualys Cloud Threat Database over two years ago. This database presents a powerful tool that unifies over 25 threat intelligence feeds into a single, accessible source for all Qualys products. By leveraging machine learning and the expertise of the Qualys Threat Research Unit, this database provides rich, contextual insights into vulnerabilities, malware, and threat actors, empowering customers to prioritize and remediate risks effectively. With real-time threat intelligence and risk-based vulnerability management, Qualys ensures organizations have the clarity and tools to stay secure in an ever-evolving threat landscape.

Qualys leads in cybersecurity by providing end-to-end security solutions that ensure long-term resilience for organizations. Our Threat Research Unit and advanced capabilities help secure diverse IT environments—from AI systems to cloud applications—while mitigating critical threats like zero days. With decades of expertise, we deliver tailored, innovative strategies that keep organizations ahead of evolving risks.

If a CVE Service Gap Occurs

During such an interruption, a CVE Services outage would halt the issuance of new CVE IDs, leaving freshly disclosed vulnerabilities absent from CVE.org, the NVD, CISA KEV, and other mirrors. This could create temporary coverage gaps for security products that depend solely on those feeds.

Even in the unlikely event of a CVE publishing gap, your Qualys detections will keep pace with the latest threats—no blind spots, no extra work.

If you want game-changing risk scoring in uncertain times, reach out to find out more about Qualys and how our solutions offer unprecedented insight.

For our customers who may still have questions, please submit your inquiry through our support portal.