CISA extends MITRE's CVE bug tracking funding – for now

Relents at the last moment to avert disruption to critical cybersecurity infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA) has moved to secure continued operations of the Common Vulnerabilities and Exposures (CVE) programme by extending its contract with MITRE, preventing a potentially disruptive lapse in critical cybersecurity services.

"The CVE Program is invaluable to the cyber community and a priority of CISA," CISA said.

"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

CISA did not say why it delayed its annual renewal decision this time.

The funding extension will keep the programme operational for another 11 months.

Earlier in the week, the programme's future had been cast into doubt following the leak of a letter from MITRE's Yosry Barsoum, vice president and director at the Center for Securing the Homeland.

In the letter, Barsoum warned that the contract pathway was set to expire on 16^th April 2025, potentially leading to severe consequences.

"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.

Operated by the federally funded research and development centre, MITRE, the CVE programme serves as a central repository and identification system for security flaws. Since its inception in 1999, it has enabled organisations worldwide, including tech giants like Microsoft, Google, Apple, Intel and AMD to assign unique IDs to known vulnerabilities.

Not-for-profit MITRE receives its funding for the CVE programme from the US Department of Homeland Security (DHS) and CISA. This funding supports MITRE's role in operating and developing the programme as an "independent, objective third party," according to programme documentation.

Following CISA's announcement, MITRE expressed its gratitude to government officials and the broader cybersecurity community.

"We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours," Barsoum said on Wednesday.

Despite the immediate crisis being averted, the incident has reignited concerns about the sustainability of the CVE programme.

"Like many pieces of open source software, the CVE database has become a dependable resource for all teams with any concern over security, and its centralisation and dependability has allowed DevSecOps teams to build pipelines to get fixes out quickly, for all manner of software security issues," said Matt Saunders, DevOps lead at The Adaptavist Group.

"Losing it would make our software harder to secure, and its absence would mark a victory for cybercriminals across the world."

Tim Grieveson, chief security officer and EVP information security at ThingsRecon said: "With 25 years of consistent public funding, the CVE framework is embedded into security programmes, vendor feeds and risk assessment workflows. Without it, we risk breaking the common language that keeps security teams aligned to identify and address vulnerabilities effectively."

In a preemptive move, a coalition of CVE board members announced the formation of the CVE Foundation, a new non-profit organisation aimed at ensuring the programme's long-term independence.

The Foundation, in development over the past year, is intended to decentralise the programme's governance, removing what it calls a "single point of failure in the vulnerability management ecosystem." It is expected to publish further details about its transition strategy in the coming days.

Sylvain Cortes, VP strategy at Hackuity, commented: "Although CISA has updated its plans by confirming today that it plans on funding the invaluable CVE program, the future is still uncertain. Questions remain if this is a long-term solution or a temporary reprieve. MITRE's CVE program is at the heart of how we share and interpret vulnerability intelligence. It isn't just a list of vulnerability numbers; it's an actionable system which the whole industry relies upon for enriched information on how vulnerabilities are categorised and the products they impact.

"We should also use this as an opportunity for European organisations to get vocal. EU security leaders need to step up and call for ENISA to build a European equivalent to MITRE's CVE program and move towards an active mode of information enrichment."

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.