CVE Gets Last-Minute Reprieve From CISA, But Program’s Longevity In Question

‘We currently don’t have any idea on how long that option for contract extension is,’ one expert says.

Alarm resounded throughout the cybersecurity community after a letter to Mitre—a nonprofit that conducts federally funded research mainly in the cybersecurity, defense and health-care spaces—was leaked online that Mitre’s CVE (Common Vulnerabilities and Exposures) program was reportedly ending as of April 16 as ordered by the Cybersecurity and Infrastructure Security Agency (CISA).

As CRN reported, funding for Mitre to develop, operate and modernize the CVE program “and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire,” Yosry Barsoum vice president, director of the Center for Securing the Homeland at Mitre, said in the leaked letter.

CISA has since walked back its decision.

“The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” CISA posted on its website.

“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry and government over the last 24 hours. The government continues to make considerable efforts to support Mitre’s role in the program and Mitre remains committed to CVE and CWE as global resources,” Barsoum said in an official statement shared by Mitre with MES Computing.

The CVE database is used by cybersecurity professionals to keep track of cyber threats and vulnerabilities. In 2024, there were over 40,000 CVE records published containing data about known threats.

The program partners with many major tech companies, including Cisco Systems, Dell Technologies, Fortinet, Microsoft and Sophos, to name a few, to build out its list of vulnerabilities.

While the CVE program got a last-minute reprieve, many cybersecurity professionals are concerned about its future.

“The update comes just hours after a subset of the CVE Board said it plans to break off to maintain the CVE Program under a new body called the CVE Foundation. Unclear what happens next, but the new group could have a role in future contracting discussions,” a user posted on the Bluesky social network.

“CVE isn’t dead, but it’s untethered,” another user in the cybersecurity community posted on LinkedIn.

“The news that Mitre’s contract for CVE is not being renewed—and that they’re being forced to wind down services—is a huge blow to the backbone of our vulnerability ecosystem that could have real and tangible effects on the ability for us to secure our systems across the nation. The CVE program is foundational infrastructure for the security industry. It’s how vulnerabilities get standardized, tracked and shared across vendors, tools and government agencies; without it, we lose critical visibility and coordination. This is the system that helps everyone, from a solo developer to a Fortune 100 security team, know what to patch, how to prioritize and how to defend. Gutting it doesn’t just slow us down—it actively makes us more vulnerable as an industry and as a nation. Threat actors won’t wait for us to get our act together,” said Joe Nicastro, field CTO at software security company Legit Security, in a statement to MES Computing.

“Fortunately, it appears this crisis may have been temporarily avoided. ... We currently don’t have any idea on how long that option for contract extension is so we’re currently unclear about the long-term status of this vital service,” he continued.

In regard to the future of the CVE program, “Mitre remains committed to our nation’s cybersecurity and we will work with our federal sponsors, the CVE Board, and the cybersecurity community on considerations for continued financial and community support of the CVE Program,” Mitre said in a statement to MES Computing.