MITRE’s CVE Program Gets Funding Extension Just in Time
The CVE program dodged a digital disaster this week after the U.S. government stepped in—just in time—with a temporary funding extension for MITRE, the organization behind the widely-used vulnerability catalog.
According to the Cybersecurity and Infrastructure Security Agency (CISA), it executed the “option period” of its existing contract with MITRE late Tuesday to keep the Common Vulnerabilities and Exposures (CVE) program fully operational.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said. “We appreciate our partners’ and stakeholders’ patience.”
The extension adds 11 more months to the contract, which had been on the verge of expiration as of Wednesday morning. Federal documents show that the full agreement—valued at $57.8 million—can be extended through March 2026, though CISA hasn’t yet said what comes after this brief reprieve.
MITRE’s VP and director of its Center for Securing the Homeland, Yosry Barsoum, confirmed that CISA secured incremental funding to sustain the CVE and CWE programs, saying, “We appreciate the overwhelming support… expressed by the global cyber community, industry, and government over the last 24 hours.”
The Near Miss That Got People Talking
This update came after a tense 24 hours that had cybersecurity pros across the globe on edge. On Tuesday, Barsoum issued a warning letter stating that MITRE’s funding was about to run dry and that the federal government had not committed to renewing the agreement.
Had the funding expired, MITRE warned, no new CVEs would be published, and eventually, the program’s online infrastructure—including the official website—would be taken offline. Legacy CVE data would still be accessible via GitHub, but the heartbeat of the vulnerability management system would’ve flatlined.
That near-miss spurred a much broader conversation about the fragility of a system the entire cyber defense world relies on.
CVE Foundation: A New Chapter in the Making
Right before CISA’s lifeline dropped, several members of the CVE Program Board revealed they had been quietly working on a backup plan—a CVE Foundation.
The new non-profit, announced in a public letter, aims to ensure the long-term sustainability, neutrality, and global stewardship of the CVE program, free from reliance on any single government.
“While government support has helped the CVE Program grow, its close ties to a single sponsor raised concerns,” the letter said. “A coalition of active CVE Board members has spent the past year developing a strategy to transition CVE to a dedicated foundation.”
Kent Landfield, one of the founding officers and a current CVE board member, put it bluntly: “CVE is too important to be vulnerable itself.” Without it, defenders around the world would be at a serious disadvantage, he warned.
The CVE Foundation’s mission? Build a resilient, community-driven, and globally trusted infrastructure for managing vulnerabilities—minus the single point of failure.
So far, the Foundation hasn’t commented further, but said it plans to share more details in the coming days. CISA, for its part, declined to comment on the new group’s formation.
MITRE, however, seems open to collaboration, saying it plans to coordinate with “federal sponsors, the CVE Board, and the cybersecurity community on continued financial and community support” moving forward.
