Editor's note: This is a breaking news story and will be updated as details emerge. (Update: 11:10 a.m. Pacific.)After a 24-hour period of high anxiety for the cybersecurity industry at the prospect of
losing the CVE program, the
Cybersecurity and Infrastructure Security Agency (CISA) said April 16 it plans on funding the highly valued program for the next 11 months.
CISA issued the following statement: “The CVE Program is invaluable to the cyber community and a
priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
The MITRE Corporation, a federally funded nonprofit organization, is tasked with overseeing the Common Vulnerabilities and Exposures (CVE) Program that identifies, assigns and discloses cybersecurity vulnerabilities that the security industry depends on to coordinate remediation.
Yosry Barsoum, MITRE's vice president and director of its Center for Securing the Homeland, issued a statement thanking the federal government for avoiding a break in CVE service, adding that CISA identified incremental funding for the program.
"We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours," Barsoum said. "The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”
Last-minute reprieve alarms security professionals
Even with the last-minute saving by CISA of the CVE program, many in the cybersecurity community expressed concern that the program’s reputation was damaged and worried how well the program can function in the future.
“The fact that a critical piece of cyber infrastructure came down to the wire like this highlights a systemic issue in how we're prioritizing and managing vulnerabilities, both at the system-level and in terms of funding support,” said Casey Ellis, founder at cybersecurity firm Bugcrowd.
Ellis added that the announcement of potential disruption that came out yesterday caused a lot of “thrash” around the industry, and has already put a dent in confidence in the CVE process. Ellis noted that several alternate government agencies outside of the U.S., as well as a handful of vendors, have already expressed their intention to step-up.
“The challenge this creates is split-standards, which work in opposition to the entire purpose of programs like CVE: creating a single reference-able data key on a per-vulnerability basis,” said Ellis.
Roger Grimes, a data-driven defense evangelist for security awareness training firm KnowBe4, said it was "fantastic to hear that MITRE's CVE program is being extended," but questioned whether the program would receive the same level of funding, saying it's been deficient for years.
"This isn't a type of program where the program leaders should be begging for funding," said Grimes in an email to SC Media. "It should be fully funded, correctly resourced, and able to do a superb job for its mission. It's an incredibly valuable resource and the entire cybersecurity community wants to know if it will be given the attention and funding it has always needed for the seriousness of its mission."
MITRE said earlier this month that it would be laying off some 442 staff after the Trump administration's
Department of Government Efficiency (DOGE) canceled more than $28 million in MITRE contracts, according to the publication
Virginia Business.
The threat to the CVE program came weeks after the National Institute of Standards and Technology (NIST) announced that it was no longer reviewing CVEs before 2018 as it faces
a potential layoff of at least 500 probationary employees from the Trump administration.
Jason Soroko, a senior fellow at Sectigo, added that the recent layoffs at MITRE could lead to serious disruptions in the CVE ecosystem.
With fewer personnel to manage the vast influx of vulnerability reports, Soroko said there’s likely to be a delay in processing and publishing new CVE entries, which means organizations may not receive timely information, slowing down patch development and leaving systems vulnerable for longer periods.
The rigor of vulnerability vetting may also suffer, Soroko continued, resulting in potential gaps in quality control and inconsistencies in how vulnerabilities are assessed and documented, which can confuse incident response efforts across sectors.
Finally, Soroko said the dependence on a large contributor which acts like a centralized authority like MITRE means that any hiccup in its operations undermines the credibility and reliability of the entire vulnerability management process, potentially eroding trust among key industry stakeholders.
“To address these challenges and make the process less fragile, there’s a need for the cybersecurity community to reimagine how vulnerability data is managed,” said Soroko. “One approach is to develop a more decentralized model where commercial industry players, government bodies, academic institutions, and open-source communities collaborate to more evenly share the responsibility of vulnerability tracking.”
Darren Guccione, co-founder and CEO at Keeper Security, said the recent CVE funding scare comes at a time when cyber threats are growing in both volume and sophistication.
“Nation-state actors — particularly from
China, Russia, Iran and
North Korea — continue to engage in persistent cyberespionage and disruption campaigns against U.S. interests,” said Gucciione. “And, ransomware gangs and cybercriminal syndicates exploit known vulnerabilities to steal, extort, and disrupt organizations. Now’s the time for our government to invest in cybersecurity programs and solutions that increase our nation’s readiness and resilience.”
Word that the CVE program could come to an end sent shockwaves throughout the industry, prompting many security pros to explain their importance.
Carolyn Crandall, CMO at AirMDR, called CVE identifiers the “Rosetta Stone” for security teams around the globe.
“They enable everyone to speak the same language when tracking threats and prioritizing patches,” said Crandall. “Without this universal standard, we’d see vendors defaulting to their own naming conventions, which creates chaos and confusion.”
And, Emma Zaballos, a senior researcher at CyCognito, said that the CVE program functions as a critical cybersecurity resource that's an essential part of many organizations processes and workflows.
Zaballos pointed out that CVEs are not just critical for identifying bugs, they help security teams more effectively prioritize their work. She said because more than 80% of cyberattacks come from external attack vectors, CVEs are the critical first step in identifying the routes that cybercriminals take.
"We use CVEs as a building block when we identify, assess and prioritize vulnerabilities in customer data, and we directly use their APIs to help respond to emerging threats quickly," said Zaballos. "This is a critical resources for us and our customers."
Can a separate foundation ensure the CVE mission carries on?
In addition to the reversal, a group calling itself
"the CVE Foundation" announced April 16 that it was formally establishing "to ensure the long-term viability, stability and independence of the Common Vulnerabilities and Exposures (CVE) Program."
The group stated in its announcement that members of the CVE board had longstanding concerns about the sustainability and neutrality of a single government sponsor for the CVE Program; MITRE's April 15 announcement that its contract was expiring reinforced those concerns.
The CVE Foundation is years in the making, according to the release, and "focuses solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide."
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work — from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
SC Media Managing Editor Stephen Weigand contributed to this report. 
