The US government has extended funding for the crucial Common Vulnerabilities and Exposures (CVE) program. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the funding extension and has ensured its continued operation without interruption. This announcement follows a recent warning issued by MITRE Vice President Yosry Barsoum , who stated that government funding for the CVE and its related CWE programs was set to expire, potentially causing significant disruption across the cybersecurity industry. MITRE, a non-profit organisation, maintains the widely adopted CVE program , which provides a standardised way to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities . The program is funded by the US National Cyber Security Division of the Department of Homeland Security (DHS).
In a statement to Bleeping Computer, the U.S. cybersecurity agency said: “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.”
The confirmation comes after Barsoum warned: “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
CVE board establishes new non-profit to secure program independence
Before CISA’s announcement, several CVE board members introduced the CVE Foundation , a non-profit organisation aimed at maintaining the CVE program's independence following MITRE's caution that the U.S. government might not renew its contract to manage the program.
In a press release, the CVE board members said: “Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”
Over the past year, the team behind the launch has been developing a strategy to transition the program to a dedicated foundation, aiming to eliminate “a single point of failure in the vulnerability management ecosystem” and ensure "the CVE Program remains a globally trusted, community-driven initiative."
Although the CVE Foundation is expected to share more details on its transition planning soon, its next steps remain unclear, particularly since CISA confirmed that funding for MITRE's contract has been extended.
In a statement to Bleeping Computer, the U.S. cybersecurity agency said: “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience.”
The confirmation comes after Barsoum warned: “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
CVE board establishes new non-profit to secure program independence
Before CISA’s announcement, several CVE board members introduced the CVE Foundation , a non-profit organisation aimed at maintaining the CVE program's independence following MITRE's caution that the U.S. government might not renew its contract to manage the program.
In a press release, the CVE board members said: “Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.”
Over the past year, the team behind the launch has been developing a strategy to transition the program to a dedicated foundation, aiming to eliminate “a single point of failure in the vulnerability management ecosystem” and ensure "the CVE Program remains a globally trusted, community-driven initiative."
Although the CVE Foundation is expected to share more details on its transition planning soon, its next steps remain unclear, particularly since CISA confirmed that funding for MITRE's contract has been extended.
You may also like
'China wants to meet': US President Donald Trump makes big claim as trade war intensifies with Beijing
'Why are you insulting Hindus?': BJP slams K'taka govt during Janakrosh Yatra
Calcutta HC reserves order on central forces in violence-hit Murshidabad; TMC claims situation under control
Is '₹7 crore net worth' the new Indian middle class? Reddit post sparks debate on the changing social hierarchy
Brits call for new driving licence rules to limit drivers to 50 miles from home
