The Cybersecurity and Infrastructure Security Agency (CISA) extended its contract for the agency’s Common Vulnerabilities and Exposures (CVE) Program late Tuesday night after MITRE – the non-profit organization that operates the program – alerted stakeholders to a looming cutoff of Federal funding for the program.
MITRE confirmed on Tuesday that government funding necessary to develop, operate, and modernize the CVE Program would lapse on Wednesday. Without government action, MITRE told members of the CVE Board that the break in service would deteriorate “national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
In a Wednesday morning statement, a CISA spokesperson told MeriTalk that the CVE Program is “invaluable to the cyber community and a priority of CISA.”
“Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” the CISA spokesperson said, adding that the contract extension runs for 11 months.
In a separate Wednesday statement, MITRE confirmed to MeriTalk that CISA’s actions avoided a break in service for the CVE Program, as well as the Common Weakness Enumeration (CWE) Program.
“We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours,” said Yosry Barsoum, the vice president and director of the Center for Securing the Homeland at MITRE. “The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”
The CVE Program has been a critical pillar of global cybersecurity infrastructure for 25 years. The goal of the program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
There is one CVE Record – or structured data about a vulnerability – for each vulnerability in the catalog. Partners around the world publish CVE Records to communicate consistent descriptions of cyber vulnerabilities.
Following MITRE’s warning on Tuesday of a looming lapse in service, a coalition of CVE Board members established the CVE Foundation to ensure the long-term stability and independence of the CVE Program.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the CVE Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work – from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
The foundation said it will release more information about its structure and transition planning in the coming days. However, it is unclear what its next steps might entail after CISA extended the contract.
“This potential disruption highlights a critical truth: an over-dependence on a single vulnerability catalog to drive detection, coordination, and remediation efforts,” said Nadir Izrael, the CTO and co-founder of Armis. “A disruption of this magnitude calls into question whether traditional methods of identifying and tracking threats are resilient enough for today’s evolving risk landscape. This moment serves as a stark reminder that threat detection strategies must evolve beyond traditional CVE-based models.”