The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with MITRE Corporation, ensuring the uninterrupted operation of the Common Vulnerabilities and Exposures (CVE) program, a cornerstone of global cybersecurity that was hours away from losing federal funding.
The CVE program, established in 1999 and maintained by MITRE, provides the world’s most widely used system for cataloging and standardizing identifiers for publicly disclosed cybersecurity vulnerabilities.
Its unique identifiers, known as CVE IDs, are essential for security researchers, vendors, and IT teams to track, prioritize, and remediate security flaws efficiently.
.png
)
The database underpins everything from vulnerability scanners and patch management systems to incident response operations and critical infrastructure protection.
Shutdown Due to Funding Issues
The crisis unfolded as MITRE confirmed that its contract with the U.S. Department of Homeland Security (DHS) to operate the CVE program would expire on April 16, 2025, with no renewal in place.
This revelation sent shockwaves through the cybersecurity community, which relies on CVE as the global reference standard for vulnerability management. Experts warned that a shutdown would disrupt national vulnerability databases, degrade security advisories, and hamper the efforts of tool vendors and incident responders worldwide.
Following this expiry crisis, “CVE Foundation has been formally launched to safeguard the long-term continuity, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.”
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” cautioned Yosry Barsoum, MITRE’s Vice President and Director of the Center for Securing the Homeland.
CISA, the primary sponsor of the CVE program, responded to mounting pressure and industry appeals by executing an “option period” on the contract late Tuesday night, just hours before the program was set to lapse.
A CISA spokesperson told Cyber Security News, “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there would be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
While the specifics of the extension, including its duration and the long-term funding outlook, remain unclear, the immediate threat of a service interruption has been averted.
The move comes amid broader cost-cutting efforts within the federal government, which have already resulted in contract terminations and reductions across several CISA teams.
The close call has reignited debate about the sustainability and neutrality of having a globally relied-upon resource like CVE tied to a single government sponsor.
Some members of the CVE Board are reportedly considering establishing a new independent body to ensure the program’s long-term stability and impartiality.
For now, the extension means that security professionals, vendors, and government agencies worldwide can continue to rely on the CVE program for coordinated vulnerability tracking and response.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
