In a critical move to maintain global cybersecurity infrastructure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with the MITRE Corporation to continue operating the Common Vulnerabilities and Exposures (CVE) program. This decision comes just hours before the program’s funding was set to expire on April 16, 2025.
The CVE program, established in 1999, serves as a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. It is widely utilized by major technology companies, including Microsoft, Apple, Google, and Intel, as well as government agencies and security professionals worldwide. The program has cataloged over 274,000 vulnerabilities to date.
Earlier this week, MITRE announced that its contract to manage the CVE program would lapse, raising alarms across the cybersecurity community. Experts warned that a disruption could lead to significant challenges in vulnerability tracking, advisories, and incident response operations. Yosry Barsoum, MITRE’s Vice President and Director at the Center for Securing the Homeland, emphasized the potential impacts, stating that a service break could “negatively affect tool vendors, incident response operations, and critical infrastructure broadly.”
In response to the impending funding gap, a group of CVE Board members announced the formation of the CVE Foundation, a nonprofit organization aimed at ensuring the program’s long-term sustainability and independence. The foundation seeks to eliminate reliance on a single government sponsor and maintain the CVE program as a globally trusted, community-driven initiative
The last-minute contract extension by CISA ensures that there will be no lapse in critical CVE services. A CISA spokesperson stated, “The CVE Program is invaluable to the cyber community and a priority of CISA. We appreciate our partners’ and stakeholders’ patience.” The extension is set for 11 months, providing a temporary reprieve while discussions about the program’s future governance continue.
The situation has also prompted international responses. The European Union Agency for Cybersecurity (ENISA) has launched the European Vulnerability Database (EUVD), aiming to collect publicly available vulnerability information from multiple sources. This initiative reflects a growing recognition of the need for diversified and resilient cybersecurity infrastructures.
As the cybersecurity landscape evolves, the continuity and adaptability of programs like CVE remain crucial. The recent developments underscore the importance of collaborative efforts between government agencies, private sector stakeholders, and international partners to safeguard digital ecosystems against emerging threats.