The Cybersecurity and Infrastructure Security Agency (CISA) has announced that it will continue funding for MITRE to ensure the uninterrupted functioning of the critical Common Vulnerabilities and Exposures (CVE) program.
images - 2025-04-16T092604.287.jpeg
"The CVE Program is vital for the cybersecurity community and a top priority for CISA," the agency told BleepingComputer. "CISA exercised the option period in MITRE's contract to prevent any disruption in essential CVE services. We thank our partners and stakeholders for their understanding."
Reports indicate that this contract extension will last for 11 months. This decision follows a warning from MITRE Vice President Yosry Barsoum, who noted that government funding for the CVE and CWEs programs was set to expire on April 16, which could cause major disruptions in the cybersecurity sector. "If service disruptions occur, we expect several detrimental effects on CVE, including the degradation of national vulnerability databases and advisories, impacts on tool vendors and incident response operations, and increased risks to critical infrastructure," Barsoum remarked. MITRE oversees the CVE program, which is well-regarded for its precision, clarity, and standardized approach to discussing security vulnerabilities.
It is funded by the National Cyber Security Division of the U.S. Department of Homeland Security (DHS). A MITRE spokesperson could not be reached for comment when BleepingComputer sought to make contact earlier today. Prior to CISA's announcement, members of the CVE Board had revealed the formation of the CVE Foundation, a non-profit organization aimed at securing the program's independence in light of MITRE's warning that the U.S. government may not renew its management contract. "Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract," they stated in a Wednesday press release.
"While this framework has facilitated the program's growth, it has also raised ongoing concerns among CVE Board members about the sustainability and impartiality of a globally relied-upon resource being tied to a single government sponsor." Over the past year, individuals involved in the foundation's creation have been developing a plan to transition the program to this independent entity, aiming to eliminate "a single point of failure in the vulnerability management ecosystem" and guarantee that "the CVE Program remains a globally trusted, community-driven initiative." While the CVE Foundation plans to share more details about its transition strategy soon, next steps are unclear, especially since CISA has confirmed the extension of MITRE's funding. Additionally, the European Union Agency for Cybersecurity (ENISA) has launched a European vulnerability database (EUVD), which utilizes a multi-stakeholder approach by collecting publicly available vulnerability information from various sources.