The Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with the MITRE Corporation to operate the Common Vulnerabilities and Exposures (CVE) program for an additional 11 months.
This move follows significant concern from the cybersecurity community over a potential lapse in the program’s operations due to funding uncertainty.
The $57.8 million contract expired on April 16, 2025, but included an option to extend through March 16, 2026.
A CISA spokesperson confirmed the extension, stating, “The CVE Program is invaluable to the cyber community and a priority of CISA. We appreciate our partners’ and stakeholders’ patience.”
The agency said the decision was made “to ensure there will be no lapse in critical CVE services.”
MITRE’s Vice President and Director of the Center for Securing the Homeland, Yosry Barsoum, noted, “CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government.”
CVE Foundation created
Amid the funding concerns, several CVE board members announced the creation of a “CVE Foundation”.
The group said the foundation would provide long-term stability and independence from government funding.
In the released notice, the foundation said its creation was one step toward “eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative.”
In response to questions about the CVE Foundation, an MITRE spokesperson said they plan to work with “federal sponsors, the CVE Board, and the cybersecurity community on considerations for continued financial and community support of the CVE Program.”
About Author
