The Cybersecurity and Infrastructure Security Agency (CISA) has extended funding to the MITRE Corporation, ensuring the continued operation of the Common Vulnerabilities and Exposures (CVE) program, a linchpin of global cybersecurity.
Announced late on April 15, 2025, just hours before the program’s funding was set to expire, the 11-month extension averts a crisis that could have disrupted vulnerability tracking worldwide.
Since 1999, MITRE has managed the CVE program, which catalogs and tracks cybersecurity vulnerabilities, providing a standardized framework for governments, industries, and researchers. With over 274,000 records, the CVE database is critical for vulnerability management, incident response, and protecting critical infrastructure.
.png
)
The program assigns unique CVE Identifiers (CVE IDs) through over 400 CVE Numbering Authorities (CNAs), including tech giants like Microsoft and Google, enabling coordinated disclosure of software and hardware flaws.
On April 15, MITRE’s Yosry Barsoum warned that the Department of Homeland Security (DHS) contract funding the CVE and Common Weakness Enumeration (CWE) programs would lapse on April 16.
“A break in service would degrade national vulnerability databases, disrupt tool vendors, and undermine critical infrastructure,” Barsoum wrote to CVE Board members.
The news triggered alarm, with experts warning that a shutdown could fragment vulnerability management, delay patches, and embolden cybercriminals.
CISA Extend the Funding to MITRE
CISA’s timely intervention, executing an 11-month funding option, ensures the CVE program’s continuity. “The CVE Program is a priority for CISA,” a spokesperson said.
CISA’s 11-month funding extension, executed on the evening of April 15, ensures that the CVE program will continue without interruption for the near term. “The CVE Program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
“We executed the contract’s option period to prevent any lapse in services and appreciate our stakeholders’ patience.” The decision quelled fears of immediate disruption, but the program’s long-term stability remains uncertain amid CISA’s budget constraints.
Recent budget cuts under the Trump administration’s cost-saving initiatives, including the Department of Government Efficiency led by Elon Musk, have strained CISA’s resources.
Nearly 40% of CISA’s 3,300 employees face termination, and MITRE recently laid off 442 staff after losing $28 million in contracts. These cuts underscored the fragility of relying on a single government sponsor for a globally critical program.
In response, CVE Board members announced the CVE Foundation on April 16, a non-profit aimed at securing the program’s independence.
“The CVE Foundation will ensure the long-term viability and stability of the CVE Program,” the group stated, highlighting the risks of a “single point of failure.” The foundation’s formation signals a shift toward diversified funding to safeguard the program’s future.
Cybersecurity experts praised CISA’s action but called for permanent solutions. “CVE is the backbone of vulnerability coordination,” said Jen Easterly, former CISA Director. “Its funding should be ironclad, not subject to last-minute rescues.” Roger Grimes of KnowBe4 added, “This program deserves robust resources to fulfill its mission without uncertainty.”
For now, the CVE program remains operational, with records accessible via GitHub. As the cybersecurity community rallies behind the CVE Foundation’s efforts, the 11-month reprieve offers breathing room to plan for a sustainable future, ensuring this vital resource continues to protect global systems.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 has extended funding to the MITRE Corporation to keep the CVE running.){kind=link}