The Common Vulnerabilities and Exposures (CVE) Program is one of the most central programs in cybersecurity, so news that MITRE’s contract to run the program was expiring sent shock waves through the cybersecurity community on April 15.
But fears for the future of the globally recognized program underpinning vulnerability management were assuaged when CISA announced today that it was extending the MITRE CVE contract. The extension apparently is for 11 months, sources told The Cyber Express.
In a statement today to The Cyber Express, a spokesperson for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said:
“The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
It’s not clear what the long-term future of the CVE program will be – CISA had floated the idea of bringing it in-house despite its own budget and staffing cuts – but at least for now, the program will continue as is.
MITRE CVE Contract Raises Cybersecurity Concerns
The panic started on April 15 with news of a letter to the CVE Board from Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland, warning of the contract’s imminent expiration.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum wrote (image below).
MITRE released this statement in response to media inquiries:
“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
MITRE noted how valuable the program is to a wide range of cybersecurity services:
“The CVE Program anchors a growing cybersecurity vendor market worth more than $37 billion, providing foundational data to vendor products across vulnerability management, cyber threat intelligence, security information and event management, and endpoint detection and response.”
MITRE said historical CVE records will be available on GitHub at https://github.com/CVEProject, and also directed those seeking more information to visit the official CVE.org website.
In response to news of the 11-month contract extension, Barsoum released the following statement today:
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”
CVE Foundation, EU Vulnerability Database Launched
Amid the uncertainty, a non-profit CVE Foundation has been launched by several CVE Board members “to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.”
The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide,” the group stated.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” stated Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The EU also launched its own vulnerability database in response to the uncertainty.
Easterly: Serious Implications for Business Risk
In an April 15 post on LinkedIn, former CISA Director Jen Easterly said news of the MITRE contract expiration was “rightly raising alarms across the cybersecurity community. While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.”
“The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity,” she added.
Any disruption would also come amid an enduring backlog in processing CVEs in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). With more than 40,000 new vulnerabilities discovered last year, NIST continues to struggle with the volume of new vulnerabilities.
