CISA to continue supporting the CVE Program after contract delay scare

In a dramatic 11th-hour reversal, the U.S. government has agreed to continue funding the Common Vulnerabilities and Exposures (CVE) program — the critical backbone of global cybersecurity vulnerability tracking — after fears of an imminent shutdown due to contract delays.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed late Tuesday night that it had renewed its contract with MITRE, the non-profit that operates the CVE program. “The CVE program is invaluable to the cyber community and a priority of CISA,” a spokesperson said. “We executed the option period on the contract to ensure there will be no lapse in critical CVE services.”

The announcement came just hours before the program's funding was set to expire on Wednesday, April 16, threatening to disrupt a 25-year-old system relied upon by developers, researchers, companies, and governments worldwide.

What is the CVE program

Originally launched in 1999, the CVE program provides a standardized system for assigning and cataloging security vulnerabilities in software and hardware. Tracking, patching, and communicating those vulnerabilities would be significantly harder without the CVE system.

MITRE had warned earlier in the week that its funding from the U.S. Department of Homeland Security was ending, and that no new contract had yet been approved. The notice sparked alarm throughout the cybersecurity community, with some warning that the loss of the CVE system could sow confusion and inefficiency in the global effort to identify and fix software flaws.

The start of a new era: CVE Foundation

Although the emergency renewal has staved off immediate disruption, the scare has prompted deeper changes. In response to growing concern over the CVE program’s reliance on U.S. government funding, board members have announced the formation of a new non-profit: the CVE Foundation.

This new foundation will “focus solely” on maintaining and evolving the CVE program independent of any single government entity. "The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem,” the CVE oversight board said in a statement. “It ensures the CVE program remains a globally trusted, community-driven initiative.”

Details on the foundation’s governance, funding model, and transition plan are expected in the coming days. The announcement was welcomed by cybersecurity professionals who have long argued for a more resilient and distributed stewardship model.