A crucial part of the system that keeps your iPhone, iPad, Android device, and computer secure just lost US government funding — and the ripple effects could soon reach your gadget's next update.
A quiet but major shake-up in cybersecurity
The US government has abruptly cut off funding to the Common Vulnerabilities and Exposures (CVE) program, the global system standardizing how software and hardware vulnerabilities are cataloged and tracked.
If you've ever looked at Apple's or Google's lists of security updates, you'd know that many of the security flaws patched are thanks to CVE tracking and reporting. For example, Apple's iOS 18.4 and iPadOS 18.4 security release included at least 60 component patches tied to 65 CVE-tracked vulnerabilities — plus more than 30 other fixes not assigned a CVE.
Without this backbone of cybersecurity coordination, updates could slow down, become less transparent, or sometimes miss key vulnerabilities altogether.
But there's already a plan to prevent disaster: A new nonprofit called the CVE Foundation has been formed to keep the system alive and make it more globally sustainable.
What the CVE program actually does
If you've ever checked the security notes for an iOS or Android update, you've probably seen a list of bug IDs like CVE-2025-0074. These aren't just labels — they're part of a globally standardized system for cataloging vulnerabilities.
Each CVE ID:
Refers to a specific, documented security issue
Helps coordinate patches across companies and researchers
Allows security tools and advisories to reference the same issue clearly
As mentioned, Apple's security update pages are filled with CVEs for every OS release. Google follows the same practice in its monthly Android security bulletins — and the April 2025 patch includes 62 vulnerabilities tracked by CVE ID, covering everything from the Android Framework and System components to third-party chipsets. Some of these flaws, like a critical System bug, could allow remote privilege escalation without user interaction. These CVEs are how Google coordinates fixes across manufacturers, communicates severity, and ensures Android partners are on the same page. Without them, Android updates could slow down, become harder to verify, and lose the transparency users and developers rely on.
What just happened to the program?
Until now, the CVE program has been entirely funded by the US government — specifically the Department of Homeland Security — and operated by MITRE Corporation under federal contract.
However, on April 15, 2025, MITRE notified the CVE Board that the US government would no longer fund the program starting on April 16 when the contract expired. The cutoff took effect immediately.
This decision also affects the related CWE program (Common Weakness Enumeration), which helps companies understand what types of coding mistakes lead to vulnerabilities — basically, how to prevent the next CVE before it happens.
Experts are calling the decision reckless. Without CVE, it becomes much harder for:
Apple, Google, and other companies to coordinate patches
Device manufacturers to track what's been fixed
Security researchers to verify or disclose vulnerabilities
MITRE warned that a break in service could disrupt tools, advisories, incident response systems, and national vulnerability databases.
What it means for iPhone and Android security
The CVE system touches nearly every piece of your phone's security pipeline.
On iPhone, iPad, and Mac:
Every Apple OS update includes CVE IDs in its patch notes.
Apple's vulnerability disclosures are directly tied to CVE references.
If the system breaks down, Apple may need to build its own internal ID system — potentially fragmenting the industry and reducing transparency for customers and researchers.
On Android phones, tablets, and other devices:
Google's security bulletins use CVEs to describe the bugs fixed each month.
Android partners like Samsung rely on that data to ship timely patches.
Without CVE coordination, delays could increase, and fragmented disclosures may make it harder to know what's fixed or still at risk.
The change could slow updates and lead to a future where every phone maker has to reinvent the wheel to track vulnerabilities — a recipe for mistakes and missed patches.
The CVE Foundation is stepping in
Fortunately, this scenario didn't come out of nowhere. CVE Board members had seen the writing on the wall and quietly built a safety net: the CVE Foundation, a newly launched nonprofit that will take over the program and ensure its survival.
The Foundation's goals:
Keep the CVE program alive and neutral
Maintain and improve the vulnerability database
Transition from US government control to global community governance
The Foundation believes that moving to a nongovernment model removes a critical point of failure and reflects the global nature of today's security threats.
[The long-standing concern about CVE's reliance on a single sponsor] has become urgent following an April 15, 2025 letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
'CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,' said Kent Landfield, an officer of the Foundation. 'Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.' — CVE Foundation
Who's likely to support the new model?
The CVE Foundation hasn't announced sponsors yet. Still, major stakeholders like Apple, Google, Microsoft, Amazon, and Samsung are expected to back it — if only to preserve the security tools they all depend on.
These tech companies:
Rely on CVEs in their own patching infrastructure
Use CVEs across documentation, threat response, and product security teams
Have a vested interest in keeping the system reliable and transparent
Global governments, cybersecurity vendors, and nongovernmental organizations are also likely to contribute, as the program's importance goes far beyond US borders.
How this could affect your next software update
Your iPhone or Android device is still secure — for now. The CVE system continues to operate, and the newly launched Foundation looks well-prepared to take over.
But the clock is ticking. If funding gaps delay CVE operations, updates could get slower, disclosures could become messier, and long-term fixes might be harder to trust.
What happens next depends on whether the tech industry supports the CVE Foundation — and whether it can build a more resilient, globally governed cybersecurity system that no single government can pull the plug on again.
Don't Miss: Safari on iPhone Finally Lets You Check a Site's Security — Here's How to Verify SSL/TLS Certificates
Comments
Be the first, drop a comment!