The Common Vulnerabilities and Exposures Program (CVE) — established in 1999 and managed by the nonprofit MITRE under a federal contract — serves as a central resource for identifying, defining and cataloging publicly disclosed cybersecurity vulnerabilities. Each identified threat is assigned a CVE Record, which is then published by partner organizations around the world.
On Tuesday, cybersecurity journalist Brian Krebs shared a LinkedIn post featuring a screenshot of a letter from Yosry Barsoum, vice president of the Center for Securing the Homeland at MITRE, to the CVE board of directors. The letter said MITRE’s contract to operate the CVE and related programs would expire Wednesday.
The contract did expire on Wednesday. However, later that day, the federal Cybersecurity and Infrastructure Security Agency (CISA) confirmed the funding had been reinstated. In an email to Government Technology that echoes a statement on its website, a CISA spokesperson said, “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The extension provides funding for the next 11 months, the spokesperson said.
Amid the uncertainty, a new nonprofit — the CVE Foundation — announced its launch Wednesday to support the program’s future. A news release said it was created “to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years.”
The announcement also noted that while program leaders had hoped such a move would not be necessary, they were ready for the possibility. In response to word that funding would not be renewed, a group of “longtime, active CVE Board members” spent the last year working on “a strategy to transition CVE to a dedicated, non-profit foundation,” the announcement said, indicating it will “focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” Kent Landfield, a foundation officer, said in a statement. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
MITRE affirmed its own ongoing commitment to cybersecurity. In an email, a spokesperson said: “MITRE remains committed to our nation’s cybersecurity and we will work with our federal sponsors, the CVE Board, and the cybersecurity community on considerations for continued financial and community support of the CVE Program.”
