In what felt like a nail-biting moment for the global cybersecurity industry, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced late Tuesday that it has extended funding for MITRE’s Common Vulnerabilities and Exposures (CVE) program, just hours before the program’s contract was set to expire.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” the agency said in a statement to BleepingComputer. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The extension is reportedly for 11 months and temporarily averts what many feared would be a disastrous disruption to one of the world’s most fundamental cybersecurity systems for identifying and tracking software vulnerabilities.
What was at stake?
The panic was triggered earlier this week when MITRE Vice President Yosry Barsoum warned in a letter to the CVE Board that government funding for the CVE and Common Weakness Enumeration (CWE) programs would expire on April 16.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum wrote. “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
His warning sent ripples through the cybersecurity world, with former CISA Director Jen Easterly calling CVE “one of the most important pillars of modern cybersecurity” in a LinkedIn post.
“Losing it would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage,” Easterly wrote. “Cyber threats don’t stop at borders—and neither does defense. CVEs are the common language used worldwide to share intelligence and coordinate action. Lose that, and everyone’s flying blind.”
Community scramble and a new foundation
As fears of a shutdown grew, members of the CVE Board acted quickly to create a backup plan. On Wednesday, they unveiled the CVE Foundation, a new non-profit designed to help secure the future of the CVE program and reduce reliance on a single government sponsor.
“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract,” the board said in a press release. “While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”
The foundation’s backers say they have spent the past year developing a strategy to transition the CVE program from sole government oversight into a community-driven model. The move, they say, is intended to eliminate “a single point of failure in the vulnerability management ecosystem” and ensure that CVE remains “a globally trusted, community-driven initiative.”
A close call
Since its beginning in 1999, the CVE program has cataloged more than 274,000 publicly disclosed vulnerabilities. It’s relied on by cybersecurity tools, government agencies, software vendors, and infrastructure defenders worldwide to assign CVE IDs and provide a standard way to reference security flaws.
Casey Ellis, founder of Bugcrowd, told TechRepublic in an email that CVE underpins “a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts.” A break in service, he added, “has the very real potential to bubble up into a national security problem in short order.”
Meanwhile, the European Union is making its own moves. The European Union Agency for Cybersecurity (ENISA) recently launched its own vulnerability database — the EUVD — which provides “access to reliable and timely information about vulnerabilities affecting Information and Communication Technology (ICT) products and services, and contributes to an enhanced cybersecurity risk management.”
