The government will continue funding the Common Vulnerabilities and Exposures (CVE) program. In a statement to The Verge, US Cybersecurity and Infrastructure Agency (CISA) spokesperson Jared Auchey said it “executed the option period on the contract to ensure there will be no lapse in critical CVE services” last night.
On Tuesday, MITRE, the government-funded organization behind the CVE program, warned that its contract to continue managing the system was set to expire on April 16th. The CVE program is used by major companies like Microsoft, Apple, Google, and Intel to identify and track cybersecurity vulnerabilities around the globe.
In response, CVE board members announced an initiative to make the program a nonprofit foundation, saying it will “focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”
Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, told The Verge that the organization was able to avoid a “break in service” after the government extended its contract. “As of Wednesday morning… CISA identified incremental funding to keep the Programs operational,” Barsoum said.
Though the CVE Foundation said it would share more details “over the coming days,” it’s not clear whether it will continue now that the government has renewed its contract with MITRE. CISA doesn’t say why it waited so long to extend its contract, but the last-minute renewal comes as DOGE continues to slash funding and cut jobs throughout the federal government.
”The CVE Program is invaluable to the cyber community and a priority of CISA,” Auchey said. “We appreciate our partners’ and stakeholders’ patience.”
Update, April 16th: Added a statement from MITRE.
