CISA at the Last Minute Extends Funding for Crucial MITRE CVE Program
CISA reportedly has extended the funding for the crucial vulnerability database program managed by the non-profit MITRE Corp., allaying fears for now that a pillar of the global cybersecurity industry will keep running.
According to news reports, a CISA spokesperson said in a statement that “the CVE Program is invaluable to cyber community and a priority of CISA. [Tuesday] night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The announcement comes after a frantic 24 hours that saw cybersecurity professionals warn about the dire consequences should MITRE’s Common Vulnerabilities and Exposures (CVEs) stop operating, a situation that they said would severely hamper security efforts and open the door wider to threat groups and adversarial nation-state operators from China, Russia, Iran, and elsewhere.
It also comes as members of the CVE Board that helps manage the government-funded program announced a new non-profit organization that was ready to pick up the responsibility for collecting, cataloging, and managing CVEs.
However, questions remain, including how long the funding will last.
In a letter circulated on social media late Monday afternoon, Yosry Barsoum, vice president of MITRE and director of the Center for Securing the Homeland, told CVE Board members that the “contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE [Common Weakness Enumeration] will expire,” adding that the “government continues to make considerable efforts to continue MITRE’s role in support of the program.”
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all matter of critical infrastructure,” Barsoum wrote.
CISA, which is part of the Homeland Security Department, later confirmed the government’s decision to news outlets.
An Alternative Arises
In response, members of the CVE Board announced this morning that they launched the CVE Foundation, essentially transitioning the CVE Program – which for years has operated a government-funded initiative – to a dedicated nonprofit organization that “will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” Kent Landfield, an officer of the Foundation, said in a statement. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work – from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
Hurting Cybersecurity, Helping Threat Actors
Security professionals reacted quickly as news of MITRE’s situation circulated Tuesday, before the announcements by CISA and the CVE Foundation. Had the funding for MITRE’s program disappear, it would hobble security analysts’ work and give a significant advantage of cybercriminals, they said.
“One of these consequences could be that the CNAs – CVE Numbering Authorities – and researchers may be unable to obtain or publish CVEs in a standardized manner,” said Tim Peck, senior threat researcher at Securonix. “This would delay vulnerability disclosures and affect coordinated disclosure timelines. Notes on patching and remediations could be delayed, offering a greater window of time to attackers to engage in exploitation.”
In addition, defense-based tooling – vulnerability scanners and platforms – that rely on CVE metadata like ISA KEV, VulnCheck, and Nessus would stop receive timely and trusted information, making it impossible to synchronize pipelines, Peck said.
‘A National Security Problem’
Casey Ellis, founder of Bugcrowd, said that “CVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts. A sudden interruption in services has the very real potential to bubble up into a national security problem in short order.”
“A service break would likely degrade national vulnerability databases and advisories,” said Jason Soroko, senior fellow at Sectigo. “This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”
In a LinkedIn post, ex-CISA director Jen Easterly laid out what lies ahead for business, including slower and riskier responses to threats, a breakdown of trusted tools and processes, a disruption in guidance from the government, and the collapse of needed international coordination, writing that “CVEs are the common language used worldwide to share intelligence and coordinate action. Lose that, and everyone’s flying blind.”
“The Bottom Line: The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity. Losing it would be like tearing out the card catalog from every library at once – leaving defenders to sort through chaos while attackers take full advantage,” Easterly wrote.
‘This is Bonkers’
On YouTube, John Hammond, principal security researcher at security firm Huntress, raged at the government’s decision, saying he swore out loud when hearing the news.
“This is so bonkers to me,” Hammond said. “Vulnerabilities is the common language we use just kind of getting cast out, thrown on the ground and tossed out the window. … You’re just cutting the legs off the cybersecurity industry.”
The chaos this is causing is amplified because notice of the situation came out the day before the funding was to stop, he said.
“What do we do? No more CVEs? Do we just go off of hope? Are we vibe coding? Now there are vibe cybersecurities?” he asked.
More Independence Needed
In announcing the CVE Foundation, CVE Board members said they had long been concerned that operating as a government-funded group – which included government oversight and management under the contract – hindered the CVE Program’s sustainability and neutrality. They didn’t believe a resource that countries and security analysts around the world should be tied to a single government sponsor.
A number of longtime CVE Board members over the past year developed a strategy for this transition to a nonprofit foundation, a change that came to the forefront after MITRE’s notification about the government’s decision not to renew the contract to manage the program, they wrote, adding that “while we had hoped this day would not come, we have been preparing for this possibility.”
“The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative,” the group wrote. “For the international cybersecurity community, this move represents an opportunity to establish governance that reflects the global nature of today’s threat landscape.”
An Industry Under Fire
The reports about the government not renewing the contract for the CVE program shook a cybersecurity industry that in recent weeks has seen the Trump Administration tear at its seams, including slashing CISA’s budget and workforce, firing the head of the National Security Agency, and targeting former CISA director Chris Krebs and the company he now works for, SentinelOne, for retribution.
