CISA extends MITRE’s CVE program for 11 months
CISA has extended MITRE’s contract to operate the CVE program for 11 months, ensuring continuity of vulnerability tracking services. Meanwhile, a new non-profit CVE Foundation has been established to support the program’s long-term sustainability and global governance.
The US Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with the MITRE Corporation to continue operating the Common Vulnerabilities and Exposures (CVE) program for an additional 11 months. The decision was made one day before the existing contract was set to expire.
A CISA spokesperson confirmed that the agency exercised the option period in its $57.8 million contract with MITRE to prevent a lapse in CVE services. The contract, which originally concluded on April 17, includes provisions for optional extensions through March 2026.
‘The CVE Program is invaluable to the cyber community and a priority of CISA,’ the spokesperson stated, expressing appreciation for stakeholder support.
Yosry Barsoum, vice president of MITRE and director of its Center for Securing the Homeland, said that CISA identified incremental funding to maintain operations.
He noted that MITRE remains committed to supporting both the CVE and CWE (Common Weakness Enumeration) programs, and acknowledged the widespread support from government, industry, and the broader cybersecurity community.
The extension follows public concern raised earlier this week after Barsoum issued a letter indicating that program funding was at risk of expiring without renewal.
MITRE officials noted that, in the event of a contract lapse, the CVE program website would eventually go offline and no new CVEs would be published. Historical data would remain accessible via GitHub.
Launched in 1999, the CVE program serves as a central catalogue for publicly disclosed cybersecurity vulnerabilities. It is widely used by governments, private sector organisations, and critical infrastructure operators for vulnerability identification and coordination.
Amid recent uncertainty about the program’s future, a group of CVE Board members announced the formation of a new non-profit organisation — the CVE Foundation — aimed at supporting the long-term sustainability and governance of the initiative.
In a public statement, the group noted that while US government sponsorship had enabled the program’s growth, it also introduced concerns around reliance on a single national sponsor for what is considered a global public good.
The CVE Foundation is intended to provide a neutral, independent structure to ensure continuity and community oversight.
The foundation aims to enhance global governance, eliminate single points of failure in vulnerability management, and reinforce the CVE program’s role as a trusted and collaborative resource. Further information about the foundation’s structure and plans is expected to be released in the coming days.
CISA did not comment on the creation of the CVE Foundation. A MITRE spokesperson indicated the organisation intends to work with federal agencies, the CVE Board, and the cybersecurity community on options for ongoing support.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.