CISA extends CVE program contract with MITRE for 11 months amid alarm over potential lapse

The MITRE Corporation will continue operating the CVE program for at least another 11 months after federal cybersecurity officials confirmed that they temporarily extended their contract with the organization to keep the platform running. 

A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said on Wednesday morning that it exercised the option period of its contract with MITRE on Tuesday evening to “ensure there will be no lapse in critical CVE services.”

“The CVE Program is invaluable to the cyber community and a priority of CISA,” the spokesperson said. “We appreciate our partners’ and stakeholders’ patience.”

Federal contract documents show that CISA’s $57.8 million contract with MITRE expired on Wednesday but had an option to continue until March 16, 2026. CISA confirmed that the extension was for 11 months but did not respond to questions about what will happen after that date. 

Many in the cybersecurity community expressed alarm on Tuesday following a letter from Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland, which warned that funding for the CVE program was expiring and the federal government appeared to have no intention to renew the contract.

A MITRE spokesperson told Recorded Future News that were the contract to lapse, no new CVEs would be added to the program and the CVE program website online would eventually cease. MITRE said historical CVE records will be available on GitHub.

The CVE program — which stands for Common Vulnerabilities and Exposures — is a foundational pillar of the cybersecurity system that countless cybersecurity vendors, governments and critical infrastructure organizations rely on for vulnerability identification.

The anxiety caused by the potential contract lapse kickstarted a larger conversation about the CVE program’s reliance on U.S. government funding. 

A letter from several CVE program board members, all of whom did not respond to requests for comment, was released berore the contract extension announcement saying a new organization, called the CVE Foundation, was being formally established to “ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.”

“Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the organization said. 

“In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”

Kent Landfield, an officer of the foundation and a current CVE program board member, said the CVE is “too important to be vulnerable itself,” explaining that without it, defenders “are at a massive disadvantage against global cyber threats.”

The foundation said its creation was one step toward “eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE Program remains a globally trusted, community-driven initiative.”

They also said the move represents an effort to establish a more international-focused governance of the threat landscape. The organization did not respond to requests for comment but said it will be releasing more information on its structure in the coming days. 

CISA declined to comment on the CVE Foundation letter.