.svg){kind=spacer}
April 17, 2025
April 17, 2025
In an eleventh-hour move, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ensured that the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs did not lapse. The move will ensure that the MITRE Corporation will continue operating the CVE program for at least another 11 months after federal cybersecurity officials confirmed that they temporarily extended their contract with the organization to keep the platform running.
In a LinkedIn message posted Wednesday, the CISA wrote, “The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
Confirming the information about the CVE extension, Yosry Barsoum, vice president and director at MITRE’s Center for Securing the Homeland wrote in an emailed statement, that “Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational.”
Barsoum said that he appreciates the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours.
He added that the government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE and CWE as global resources.
Now marking its 25th anniversary, the CVE Program continues to play a vital role in global cybersecurity by identifying, defining, and cataloging publicly disclosed vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered, then assigned and published by organizations globally that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Cybersecurity professionals use CVE Records to ensure they are discussing the same issue and to coordinate their efforts to prioritize and address the vulnerabilities.
The cybersecurity community raised concerns on Tuesday following a letter from Barsoum, which cautioned that funding for the CVE and CWE programs was nearing expiration and the federal government had not indicated plans to renew the contract.
Commenting on the development, Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, wrote in an emailed statement that MITRE’s CVE program being extended is fantastic news, although fewer last-minute reprieves would be welcome. “But I’m glad it is being funded. Now the question is — is it being funded at the same level, less, or even better? Because the program has always had a ton of deficiencies for years that the community has been hoping could be improved. That program has been existing on a shoestring budget for years, hanging on by a thread, ready to collapse in usefulness at any minute.”
“MITRE leaders have been begging for more private funding for years,” Grimes highlighted. “This isn’t a type of program where the program leaders should be begging for funding. It should be fully funded, correctly resourced, and able to do a superb job for its mission. It’s an incredibly valuable resource, and the entire cybersecurity community wants to know if it will be given the attention and funding it has always needed for the seriousness of its mission.”
He added that it is great to hear it’s being extended, but the devil is in the details. “I hope we can all go to sleep better at night knowing that it is not only getting extended, but will actually be improved and become the service it should have always been…so that the program’s leaders can do less begging for funding and more managing and improving the program.”
©2025 NIS2U GmbH All Rights Reserved.
