CISA Throws Lifeline to CVE Program with Contract Extension

Posted on by

In a dramatic turn of events, the US Cybersecurity and Infrastructure Security Agency (CISA) has stepped in to save the Common Vulnerabilities and Exposures (CVE) Program from potential disruption, announcing an 11-month contract extension just in time.

The move has breathed new life into the critical vulnerability tracking initiative, ensuring its continued operation and averting a potentially disastrous disruption to the global cybersecurity landscape.

On April 15, the cybersecurity community discovered in a letter signed by Yosry Barsoum, vice president of MITRE a US-based non-profit, that the US government was not going to renew the organization’s contract to manage the CVE and Common Weakness Enumeration (CWE) programs. The contract was set to expire on April 16.

The CWE program is a companion initiative to the CVE program, providing a standardized catalog of software weaknesses and vulnerabilities that can be used to understand and mitigate the root causes of the vulnerabilities identified by CVE.

The MITRE has been running both programs for 25 years, helping the security community manage and mitigate software vulnerabilities, while providing critically important information to power threat intelligence, detection and response and other products.

A publication based in the US state of Virginia, Virginia Business, reported that MITRE said earlier this month that it would be laying off some 442 staff after the Trump administration’s Department of Government Efficiency (DOGE) canceled more than $28m in MITRE contracts.

An 11-Month Extension to MITRE’s CVE and CWE Contract

On April 16, a CISA spokesperson announced that the agency had exercised the option period of its contract with MITRE to “ensure there will be no lapse in critical CVE services.”

“The CVE Program is invaluable to the cyber community and a priority of CISA. We appreciate our partners’ and stakeholders’ patience,” the spokesperson added.

According to federal contract documents, the $57.8m agreement between CISA and MITRE was set to expire on April 16, 2025, but included an option to extend until March 16, 2026. CISA confirmed to the media that the extension would last for 11 months.

Yosry Barsoum, also director of the Center for Securing the Homeland at MITRE, said on LinkedIn that CISA had “identified incremental funding to keep the programs operational.”

He expressed gratitude for the outpouring of support from the global cyber community, industry, and government.

“We appreciate the overwhelming support for these programs that has been expressed by the global cyber community, industry, and government over the last 24 hours,” he said.  

Barsoum also reaffirmed MITRE’s commitment to the CVE and CWE programs.

“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”

While most of the wider cyber community have welcomed the contract extensions, many have highlighted that the uncertainty around funding is still of concern and the future still uncertain.

“While an extension may provide temporary relief, it is not a substitute for a sustainable solution. If we fail to secure the future of the CVE program, we risk transforming a vital pillar of digital defense into a significant vulnerability,” commented Adam Kahn, VP of Global Security Operations at Barracuda.

CVE Foundation and European Vulnerability Database

Prior to CISA’s announcement regarding a contract extension, a collective of CVE Board members unveiled the establishment of the CVE Foundation.

The CVE Foundation is a non-profit entity aimed at safeguarding the CVE program’s autonomy amidst MITRE’s caution that the US government might not opt to renew its contract for overseeing the program.

In a statement released on April 16, the group noted that the CVE Program has historically operated as a US government-funded endeavor, with its management and oversight contracted out. However, this arrangement has long been a source of concern for CVE Board members, who have questioned the long-term viability and impartiality of a globally utilized resource being beholden to a single governmental patron.

Throughout the past year, the individuals driving the launch have been refining a strategy to transfer the program to the newly formed foundation, thereby mitigating the risk of a “single point of failure in the vulnerability management ecosystem” and ensuring the CVE Program remains a trusted, community-led initiative with global relevance.

Although the CVE Foundation intends to provide additional details regarding its transition plans in the near future, the subsequent steps remain shrouded in uncertainty, particularly in light of CISA’s confirmation that funding for MITRE’s contract has been prolonged.

Additionally, Alexandre Dulaunoy, a security researcher and Head of the Computer Incident Response Center Luxembourg (CIRCL), and Alexander Jäger, a Senior Security Engineer at Google, introduced the Global CVE (GCVE) allocation system.

This new framework aims to promote a decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability and autonomy for participating entities.

Finally, the European Union Agency for Cybersecurity (ENISA) launched its European vulnerability database (EUVD), characterized by a multi-stakeholder approach that aggregates publicly available vulnerability information from a diverse range of sources.