Save our CVEs: CISA announces temporary Mitre funding extension

On Wednesday, news broke that funding for Mitre's Common Vulnerabilities and Exposures (CVE) Program had been cut, putting a critical global cybersecurity resource at risk.

Now CISA has dramatically pulled the program back from the brink, announcing that it had extended its contract so vulnerabilities will continue to be shared with the world - but only for a limited amount of time.

Machine understands that Cisa has extended the contract for 11 months, which means the scheme's future still remains in flux.

News of the funding cut was first announced on April 15, 2025, in a letter from the not-for-profit organisation Mitre to the CVE Board, warning that the US government would not be renewing the contract for managing the program.

The CVE Program was launched in 1999 to identify and catalogue publicly disclosed cybersecurity vulnerabilities in a standardised format. Its strategic direction is overseen by the Board, which includes members from industry, academia, and government.

Its defunding would have left the future of coordinated threat response hanging in the balance.

A CISA spokesperson told Machine: "The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience."

Introducing the CVE Foundation

The 11 month reprieve came after CVE Board members joined forces to launch their own organisation: The CVE Foundation.

In its launch announcement, the foundation said it was "formally established to ensure the long-term viability, stability, and independence of the CVE Program, a critical pillar of the global cybersecurity infrastructure for 25 years."

Members have spent the past year working in stealth mode to develop a strategy for transitioning to a dedicated non-profit foundation.

"While we had hoped this day would not come, we have been preparing for this possibility," it wrote.

The new CVE Foundation will "focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.|

"CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself," said Kent Landfield, an officer of the Foundation. "Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work - from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats."

The cybersecurity community reacts...

News of the imminent demise of the CVE program sent shockwaves through the security industry, which is now breathing a momentary sigh of relief after the last-minute sort-of-reprieve.

Adam Kahn, vice president of global security operations at Barracuda, told us: "This isn’t merely a bureaucratic oversight – it’s a seismic threat to global cybersecurity. The CVE program serves as the backbone of vulnerability coordination; without it, defenders fly blind and are left navigating a minefield without a map.

"While an extension may provide temporary relief, it is not a substitute for a sustainable solution. If we fail to secure the future of the CVE program, we risk transforming a vital pillar of digital defense into a significant vulnerability."

Glenn Weinstein, CEO at Cloudsmith, told Machine that the system was far from ideal, setting out his own suggestions on how to improve it.

"Software development teams at nearly every enterprise globally rely on the CVE system as a central organising principle for vulnerability identification and detection," Weinstein said. "They’re an important tool that we use to secure each organisation’s software supply chain.

"That said, CVEs aren’t the only thing to protect against, and the CVE system is generally imperfect and incomplete under the best circumstances. The various communities that are invested in software supply chain security have been augmenting CVEs with additional sources of vulnerability data, as well as enriching CVEs themselves with metadata.

"It’s grown into a complex information ecosystem. Honestly the best outcome here would be to find a way to maintain and invest in CVEs as a somewhat-centralized resource, and we expect a solution will emerge soon."

Speaking before news that the CVEs had been saved, Inesa Dagyte, Head of Information Security, Oxylabs, also said: "Unfortunately, the current situation with the CVE program financing might have a global impact on fundamental information security measures built by the US over many years. First, it will leave us all less aware and IT infrastructure - way more vulnerable to large-scale attacks from malicious actors and states.

"MITRE, CWE, and CVE are the core cybersecurity pillars, used by nearly all cybersecurity tools and the biggest enterprises to monitor and share information around known vulnerabilities. Without them, we lose invaluable data and the possibility of tracking new vulnerabilities. There is little incentive for companies to share information if there is no established process for tracking, verifying, and registering new vulnerabilities. MITRE and CVE acted as a common standard for global vulnerability management, and ditching it will have far-reaching implications.

"Is there a space for other registers to step in? Probably yes; and yet, it might bring chaos for quite some time, until a new ‘source of truth’ and authority will evolve instead of CVE and MITRE. This situation is very favorable for malicious actors to exploit. Hopefully, the creation of the CVE Foundation, which the public was informed of today, might secure the future of the CVE Program."

Shachar Menashe, VP of Security Research at JFrog, also told Machine: "The US government funding for MITRE's CVE program has expired. This is significant because in the short term, there could be delays in vulnerability disclosures and less standardised threat information being distributed across all industries, from financial services to critical infrastructure like healthcare. 

"Long-term, a sustained disruption could fragment global vulnerability management and hinder coordinated responses and fix times. Businesses should immediately diversify their threat intelligence sources and assess the resilience of their security tools. IT professionals should monitor alternative vulnerability flagging sources, such as OSV or GitHub Advisories, or even vendor-specific vulnerability trackers and prepare for potential disruptions in security tools reliant on standardised CVE data.

"The JFrog Software Supply Chain State of the Union 2025 Report revealed that many CVE severity scores don't reflect real-world exploitability. With 88% of Critical and 57% of High CVEs being less severe than reported, the challenge could be amplified by a decentralised CVE program. There are still many unknowns, and the industry’s response will continue to unfold in the coming days.”

Have you got a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn