CVE program gets last-minute funding from CISA – and maybe a new home
(2025/04/16)
- Reference: 1744822465
- News link: https://www.theregister.co.uk/2025/04/16/cve_program_funding_save/
- Source link:
In an 11th-hour reprieve, the US government last night agreed to continue funding the globally used Common Vulnerabilities and Exposures (CVE) program.
This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database. That arrangement was due to expire today, but now the money's coming through to continue the crucial service.
"The CVE program is invaluable to the cyber community and a priority of CISA," a spokesperson for the US Cybersecurity and Infrastructure Security Agency, aka CISA, told The Register Wednesday.
[1]
"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
[2]
[3]
Also in response to long-standing concerns and [4]fresh uncertainty triggered by MITRE yesterday disclosing that federal support was about to end, CVE board members today announced the formation of a nonprofit foundation.
This new CVE Foundation will "focus solely" on ultimately continuing the program's work of naming and tracking vulnerabilities, and maintaining the database of product security flaws, we're told.
[5]
"The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE program remains a globally trusted, community-driven initiative," a [6]statement by the oversight body said.
"Over the coming days, the foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community."
That single point of failure right now is Uncle Sam. CVE has become the world's de facto system for identifying and squashing vulnerabilities in technology products, and it is reliant on federal funding at a time when the Feds are trimming costs, threatening allies, and evaporating America's soft power.
[7]
The 25-year-old program serves as the single source of truth for everyone — companies, developers, governments, researchers — working on vulnerability management. While MITRE operates it, the CVE program is [8]sponsored , and largely [9]funded by the CISA, under the umbrella of the US Department of Homeland Security. MITRE has received roughly $30 million since 2023 from Homeland Security to run CVE and associated programs.
News broke yesterday that the program's funding would expire today, and this sparked a great deal of outrage and concern about who or what would fill the impending void in vulnerability management. According to the newly established foundation, it's vital that the CVE program isn't reliant on a government contract to continue:
Since its inception, the CVE program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
Now that CISA has extended the contract with MITRE to operate the program for the next 11 months, we wonder what the new foundation's next steps will be. The Register reached out to the organization about this and with other questions regrading the org's members and how its funding will work, and we will update this story if or when we hear back.
Judging from the community's response, however, it seems the momentum to wrest CVE from the Feds hasn't lessened.
"The announcement by MITRE Corporation that Homeland Security and CISA were not renewing the contract came to many as a complete surprise," [10]said CVE board member Peter Allor in a LinkedIn post. "Evidently this situation was known by the three parties for nearly a month."
[11]Uncle Sam turns off funding for CVE program. Yes, that CVE program
[12]MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest
[13]NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
[14]As CISA braces for more cuts, threat intel sharing takes a hit
He added that "it is time for change" to come to the program, and that includes two things.
"First is that the US Government needs to move this out from their sole funding and control for this Global and collective problem regarding vulnerabilities and the enumeration of records," Allor wrote. "Second, the way CISA has not been straight and truthful with the program and notably to the CVE Board. This was a game of chicken on who pays."
And despite the continued funding, it looks like the chaos isn't over quite yet.
"The announcement of potential disruption that came out yesterday caused a lot of thrash in a lot of circles, and has ultimately already put a dent in confidence in the CVE process, and several alternative government agencies outside of the USA, as well as a handful of vendors, have already signaled their intention to step up," Bugcrowd founder Casey Ellis told The Register .
"The challenge this creates is split-standards, which work in opposition to the entire purpose of programs like CVE: Creating a single reference-able data key on a per vulnerability basis."
US-based MITRE, meanwhile, sounded jubilant, and thanked the infosec world for its support during this almost-crisis.
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures ( [15]CVE ) program and the Common Weakness Enumeration ( [16]CWE ) Program has been avoided," MITRE veep Yosry Barsoum told us, adding:
As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.
As for where the foundation fits in with MITRE, that appears to be a TBD.
"MITRE remains committed to our nation’s cybersecurity and we will work with our federal sponsors, the CVE board, and the cybersecurity community on considerations for continued financial and community support of the CVE program," a spokesperson said separately. ®
Get our [17]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.thecvefoundation.org/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.cisa.gov/known-exploited-vulnerabilities#:~:text=The%20CVE%20Program%20is%20sponsored,catalog%20publicly%20disclosed%20cybersecurity%20vulnerabilities.
[9] https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001
[10] https://www.linkedin.com/feed/update/urn:li:activity:7318246468492943364/
[11] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[12] https://www.theregister.com/2016/05/25/mitre_fighter_deploys_name_logo_website_combo_in_cve_plea/
[13] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[14] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[15] https://cve.mitre.org/
[16] https://cwe.mitre.org/
[17] https://whitepapers.theregister.com/
This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database. That arrangement was due to expire today, but now the money's coming through to continue the crucial service.
"The CVE program is invaluable to the cyber community and a priority of CISA," a spokesperson for the US Cybersecurity and Infrastructure Security Agency, aka CISA, told The Register Wednesday.
[1]
"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."
[2]
[3]
Also in response to long-standing concerns and [4]fresh uncertainty triggered by MITRE yesterday disclosing that federal support was about to end, CVE board members today announced the formation of a nonprofit foundation.
This new CVE Foundation will "focus solely" on ultimately continuing the program's work of naming and tracking vulnerabilities, and maintaining the database of product security flaws, we're told.
[5]
"The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE program remains a globally trusted, community-driven initiative," a [6]statement by the oversight body said.
"Over the coming days, the foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community."
That single point of failure right now is Uncle Sam. CVE has become the world's de facto system for identifying and squashing vulnerabilities in technology products, and it is reliant on federal funding at a time when the Feds are trimming costs, threatening allies, and evaporating America's soft power.
[7]
The 25-year-old program serves as the single source of truth for everyone — companies, developers, governments, researchers — working on vulnerability management. While MITRE operates it, the CVE program is [8]sponsored , and largely [9]funded by the CISA, under the umbrella of the US Department of Homeland Security. MITRE has received roughly $30 million since 2023 from Homeland Security to run CVE and associated programs.
News broke yesterday that the program's funding would expire today, and this sparked a great deal of outrage and concern about who or what would fill the impending void in vulnerability management. According to the newly established foundation, it's vital that the CVE program isn't reliant on a government contract to continue:
Since its inception, the CVE program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor.
This concern has become urgent following an April 15, 2025 letter from MITRE notifying the CVE board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.
Now that CISA has extended the contract with MITRE to operate the program for the next 11 months, we wonder what the new foundation's next steps will be. The Register reached out to the organization about this and with other questions regrading the org's members and how its funding will work, and we will update this story if or when we hear back.
Judging from the community's response, however, it seems the momentum to wrest CVE from the Feds hasn't lessened.
"The announcement by MITRE Corporation that Homeland Security and CISA were not renewing the contract came to many as a complete surprise," [10]said CVE board member Peter Allor in a LinkedIn post. "Evidently this situation was known by the three parties for nearly a month."
[11]Uncle Sam turns off funding for CVE program. Yes, that CVE program
[12]MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest
[13]NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
[14]As CISA braces for more cuts, threat intel sharing takes a hit
He added that "it is time for change" to come to the program, and that includes two things.
"First is that the US Government needs to move this out from their sole funding and control for this Global and collective problem regarding vulnerabilities and the enumeration of records," Allor wrote. "Second, the way CISA has not been straight and truthful with the program and notably to the CVE Board. This was a game of chicken on who pays."
And despite the continued funding, it looks like the chaos isn't over quite yet.
"The announcement of potential disruption that came out yesterday caused a lot of thrash in a lot of circles, and has ultimately already put a dent in confidence in the CVE process, and several alternative government agencies outside of the USA, as well as a handful of vendors, have already signaled their intention to step up," Bugcrowd founder Casey Ellis told The Register .
"The challenge this creates is split-standards, which work in opposition to the entire purpose of programs like CVE: Creating a single reference-able data key on a per vulnerability basis."
US-based MITRE, meanwhile, sounded jubilant, and thanked the infosec world for its support during this almost-crisis.
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures ( [15]CVE ) program and the Common Weakness Enumeration ( [16]CWE ) Program has been avoided," MITRE veep Yosry Barsoum told us, adding:
As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.
As for where the foundation fits in with MITRE, that appears to be a TBD.
"MITRE remains committed to our nation’s cybersecurity and we will work with our federal sponsors, the CVE board, and the cybersecurity community on considerations for continued financial and community support of the CVE program," a spokesperson said separately. ®
Get our [17]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.thecvefoundation.org/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAAoa2bFpHz7u5rqzY-PWgAAAFc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.cisa.gov/known-exploited-vulnerabilities#:~:text=The%20CVE%20Program%20is%20sponsored,catalog%20publicly%20disclosed%20cybersecurity%20vulnerabilities.
[9] https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001
[10] https://www.linkedin.com/feed/update/urn:li:activity:7318246468492943364/
[11] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[12] https://www.theregister.com/2016/05/25/mitre_fighter_deploys_name_logo_website_combo_in_cve_plea/
[13] https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
[14] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[15] https://cve.mitre.org/
[16] https://cwe.mitre.org/
[17] https://whitepapers.theregister.com/
It's only an 11-month contract extension
Dan 55
So in less than a year, everyone will be running round with their hair on fire again.
Perhaps it's time that the somewhat unfortunately abbreviated [1]European Union Vulnerability Database takes on a bigger role?
[1] https://euvd.enisa.europa.eu/
Re: It's only an 11-month contract extension
alain williams
That is fine - plenty of time to get things in order that it does not depend on the USA.
One of the biggest problems with what Trump has been doing is that the time between announcement and implementation has been so short. Allowing a decent amount of time allows for a non-panic transition. What is a "decent" time will depend on what we are talking about.
This is not to say that some/most of what he has done has been ghastly.
Anonymous Coward
> the US government last night agreed to continue funding the globally used Common Vulnerabilities and Exposures (CVE) program.
That's today. Nobody knows what tomorrow will bring... *sigh*
Chaotic fu**wit continues to cause chaos.
John Smith 19
Just as the gullibles who voted for him should have expected.
Perhaps there is room for cooperation between the US and EU? or a US operation jointly funded through an industry trade body?
All to save less than $30m/PA to bump up the co-Prez's tax cut.
What a greedy little piggy Leon is.
Re: Leon
MiguelC
Do you mean Leon, the un professional
I think I see a bit of mart manoeuvring on the part of MITRE here. Careful application of pressure and all that. Well done.