The Cybersecurity and Infrastructure Security Agency (CISA) extended its contract for the MITRE-backed Common Vulnerabilities and Exposures Program, a cornerstone cybersecurity program relied on worldwide, just hours before it was set to lapse. The 11-month extension ensures there will be no disruption in critical CVE services.
The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities, assigning unique identifiers to help security researchers, vendors, and officials communicate consistently about the same issue. Agencies like CISA regularly issue vulnerability alerts using CVE-standardized language.
Industry alarm was sparked earlier in the day when the non-profit organization behind the program warned of an imminent end to federal backing for the program. However, CISA confirmed that government funding needed to develop, operate, and maintain the flagship vulnerability cataloging program would lapse on Wednesday.
CISA’s spokesperson stated that the contract is “invaluable” to the cybersecurity community and an agency priority. The extension comes after a subset of the CVE Board announced plans to break off from the program, citing concerns about sustainability and neutrality.
Source: https://www.nextgov.com/cybersecurity/2025/04/cisa-extends-mitre-backed-cve-contract-hours-its-lapse/404601