CISA extends funding to ensure 'no lapse in critical CVE services'

CISA says the U.S. government has extended MITRE's funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.

"The CVE Program is invaluable to cyber community and a priority of CISA," the U.S. cybersecurity agency told BleepingComputer. "Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

BleepingComputer has learned that the extension of the contract is for 11 months.

The announcement follows a warning from MITRE Vice President Yosry Barsoum that government funding for the CVE and CWE programs was set to expire today, April 16, potentially leading to widespread disruption across the cybersecurity industry.

"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum said.

MITRE maintains CVE, a widely adopted program that provides accuracy, clarity, and shared standards when discussing security vulnerabilities, with funding from the U.S. National Cyber Security Division of the U.S. Department of Homeland Security (DHS).

After the publishing of our story, MITRE shared the following statement with BleepingComputer.

Newly launched CVE Foundation

Before CISA's announcement, a group of CVE Board members announced the launch of the CVE Foundation, a non-profit organization established to secure the CVE program's independence in light of MITRE's warning that the U.S. government might not renew its contract for managing the program.

"Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract," they said in a Wednesday press release. "While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor."

Over the last year, the individuals involved in the launch have been developing a strategy to transition the program to this dedicated foundation, eliminating "a single point of failure in the vulnerability management ecosystem" and ensuring "the CVE Program remains a globally trusted, community-driven initiative."

While the CVE Foundation plans to release further information about its transition planning in the coming days, the next steps remain unclear, especially considering CISA has confirmed that funding for MITRE's contract has been extended.

The European Union Agency for Cybersecurity (ENISA) has also launched a European vulnerability database (EUVD), which "embraces a multi-stakeholder approach by collecting publicly available vulnerability information from multiple sources."

Update 4/16/25 11:07 AM ET: Added information about how long the contract is extended.

Top 10 MITRE ATT&CK^© Techniques Behind 93% of Attacks

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025