Building a Strong Software Supply Chain After CVE Changes

Why software teams need diversified vulnerability intelligence in a post-CVE world

Introduction

On 16 April 2025, funding for MITRE's Common Vulnerabilities and Exposures (CVE) program officially expired (BleepingComputer, 2025). While headlines focused on the immediate budgetary fallout, the deeper concern for software security professionals is the operational vacuum this creates. For over two decades, CVE has served as the backbone of vulnerability identification, feeding into everything from SIEMs and SBOM tools to patch automation and GRC platforms.

But what happens when that backbone begins to fracture—and when other pillars of national cyber defence are also being dismantled?

A Perfect Storm: CVE and the Systemic Erosion of Cybersecurity

The CVE program’s funding crisis is not an isolated event. It follows a series of U.S. government actions that, together, are weakening the nation’s and the world’s cybersecurity posture:

• Disbandment of the Cyber Safety Review Board (CSRB) in January 2025, eliminating a key forum for incident postmortems and lessons learned (Cyber Defense Magazine, 2025).

• Suspension of offensive cyber operations against Russian threat actors in March 2025, reducing deterrence against adversarial campaigns (Reuters, 2025; Vocal Media, 2025).

• Now, the expiration of MITRE’s CVE program funding, threatening the global language of vulnerability management.

As former CISA Director Jen Easterly warned,

(Vocal Media, 2025). The result is a perfect storm for software supply chain risk.

CVE: The De Facto Language of Vulnerabilities

Since its inception in 1999, the CVE system has catalogued over 250,000 vulnerabilities, offering a structured and universally accepted way to name, reference, and share vulnerability information (MITRE, 2023). Over 90% of enterprise security tools depend on CVE identifiers to correlate findings and trigger remediation workflows.

This common language has enabled coherent vulnerability management across sectors. As Casey Ellis, founder of Bugcrowd, put it:

What’s at Stake Now?

With CVE support lapsing:

• Toolchains built on CVE-IDs face fragmentation.

• SBOM workflows relying on CVE tagging struggle with incomplete data.

• Compliance efforts tied to Executive Order 14028 risk delays, especially in regulated sectors like healthcare and federal contracting (White House, 2021).

The National Vulnerability Database (NVD), which depends on CVE data, is already facing a backlog of over 10,000 entries (BleepingComputer, 2025). MITRE’s work on software transparency—particularly in aligning SBOM standards like CycloneDX and SPDX with known vulnerabilities—has stalled. The result: slower detection, inconsistent naming, and growing technical debt across security pipelines.

The Case for Multi-Source SBOM and Vulnerability Management

The cybersecurity community is not without guidance. The U.S. National Security Agency (NSA) has explicitly recommended that organisations “integrate various sources of threat intelligence in addition to the various software vulnerability/weakness databases” to enhance SBOM management and supply chain resilience (NSA, 2024, p.10). Rob Joyce, NSA

Cybersecurity Director, stated,

The NSA’s recommendations are clear:

• Use multiple sources for vulnerability and threat intelligence.

• Ensure SBOM tools can import, correlate, and analyse data from diverse feeds.

• Support automated workflows for vulnerability tracking, triage, and response, not just static reporting (NSA, 2024; Scribe Security, 2024).

This approach is echoed by industry experts and platforms, who note that multi-source SBOMs provide broader coverage and faster detection of emerging threats, reducing the risk of missing critical exposures due to gaps in any single database (Cybellum, 2024).

How Zerberus ZSBOM™ Anticipated the Fracture

As the industry adapts, forward-looking tools like Zerberus ZSBOM™ are bridging the gap.

At Zerberus.ai, we anticipated the risks of over-reliance on a single vulnerability intelligence source. That’s why our ZSBOM™ module, part of the Trace-AI product line, was built for multi-source enrichment. Instead of relying solely on CVE/NVD pipelines, ZSBOM integrates and correlates vulnerabilities across:

• Google OSV

• GitHub Security Advisories

• Snyk & Sonatype DBs

• MITRE CVE/NVD (when available)

• In-house curated threat intel

This diversified approach ensures continuous visibility, even as public databases evolve or face disruptions. For example, when NVD lags, ZSBOM automatically pulls from GitHub advisories or Google OSV, normalising data across formats (CycloneDX, SPDX, VEX) and maintaining compatibility with legacy CVE-tagged datasets. This means your tooling doesn’t break if the world shifts.

In short, ZSBOM™ helps you keep shipping safely—without waiting for the patchwork to settle.

Build your own SBOM in 2 minutes.

We’ve open-sourced the ZSBOM core package so you can get started—no subscription required. Whether or not you use our Threat Intelligence feed or Managed Vulnerability service, you can DIY your own SBOM here : https://github.com/ZerberusAI/ZSBOM

A Resilient Path Forward

While industry and government stakeholders work toward long-term alternatives or successors to CVE, engineering and security teams can take immediate steps:

1. Adopt multi-source SBOM strategies that reduce single-point dependency, as recommended by the NSA (NSA, 2024).

2. Choose tools that correlate, not just collect, vulnerability metadata.

3. Focus on automated remediation tied to real-time threat context—not static databases.

4. Tie supply chain security to compliance mandates like EO 14028, ensuring regulatory alignment even as standards evolve.

And above all, build for resilience.

The software supply chain is only as strong as its weakest assumption.

References & Further Reading

1. BleepingComputer (2025) MITRE warns that funding for critical CVE program expires today. Available at: https://www.bleepingcomputer.com/news/security/mitre-warns-that-funding-for-critical-cve-program-expires-today/ (Accessed: 16 April 2025).

2. Cybellum (2024) NSA on Enhancing Cybersecurity Through Effective Software Bill of Materials (SBOM) Management. Available at: https://cybellum.com/blog/nsa-on-enhancing-cybersecurity-through-effective-software-bill-of-materials-sbom-management/ (Accessed: 16 April 2025).

3. Cyber Defense Magazine (2025) Why eliminating the Cyber Safety Review Board weakens critical infrastructure and cyber resilience. Available at: https://www.cyberdefensemagazine.com/why-eliminating-the-cyber-safety-review-board-weakens-critical-infrastructure-and-cyber-resilience/ (Accessed: 16 April 2025).

4. Ellis, C. (2025) ‘Statement on CVE sunset risks’, PCMag, 16 April. Available at: https://www.pcmag.com/news/bugcrowd-ellis-cve-comment (Accessed: 16 April 2025).

5. MITRE (2023) CVE Program Overview. Available at: https://cve.mitre.org/about (Accessed: 16 April 2025).

6. NSA (2024) Recommendations for Software Bill of Materials (SBOM) Management. Available at: https://media.defense.gov/2023/Dec/14/2003359097/-1/-1/0/CSI-SCRM-SBOM-MANAGEMENT.PDF (Accessed: 16 April 2025).

7. Reuters (2025) US funding running out for critical cyber vulnerability database manager. Available at: https://www.reuters.com/technology/us-funding-running-out-critical-cyber-vulnerability-database-manager-says-2025-04-15/ (Accessed: 16 April 2025).

8. Scribe Security (2024) Navigating NSA's SBOM Guidelines: Essential Steps. Available at: https://scribesecurity.com/blog/nsa-sbom-guidelines/ (Accessed: 16 April 2025).

9. The White House (2021) Executive Order 14028 on Improving the Nation’s Cybersecurity. Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ (Accessed: 16 April 2025).

10. Vocal Media (2025) Reassessing the Russian Cyber Threat: Unpacking the Trump Administration’s Strategic Shift. Available at: https://vocal.media/writers/reassessing-the-russian-cyber-threat-unpacking-the-trump-administration-s-strategic-shift (Accessed: 16 April 2025).