MITRE avoids CVE program shutdown with last-minute contract extension. Questions remain about long-term funding and the future of vulnerability tracking.
MITRE’s role in managing the CVE (Common Vulnerabilities and Exposures) program will continue, thanks to a last-minute contract extension confirmed this week. While the immediate risk of disruption has been avoided, the situation raised concerns about the long-term stability of the program and how critical infrastructure like CVE is supported going forward.
A Last-Minute Reprieve
On April 15, MITRE sent a letter to CVE Board members warning that its current contract to manage CVE and related efforts such as CWE (Common Weakness Enumeration) would expire the next day, April 16, 2025. In the letter, MITRE VP Yosry Barsoum wrote:
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
The letter, which was posted publicly on BlueSky and quickly circulated across the infosec community, added that while the government was making “considerable efforts” to maintain support, no long-term contract had been secured at that point.
By April 16, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stepped in, announcing that MITRE would continue operating the CVE program under an extended agreement. That move has provided temporary relief, but uncertainty still lingers over the program’s future structure and funding model.
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
Why CVE Matters
For anyone unfamiliar, CVE IDs are unique identifiers for publicly known cybersecurity vulnerabilities. They serve as a shared reference point for security teams, software vendors, researchers, and government agencies worldwide. Without them, the global cybersecurity ecosystem would lack consistency in how vulnerabilities are named, tracked, and addressed.
Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, put it plainly: “These public databases offer the cybersecurity community a common language for risk and an unprecedented level of cohesiveness and clarity. As such, they have been invaluable in helping everyone maintain higher levels of security. We believe in the power of these entities and their great work.”
Saeed vowed full support to MITRE both on a personal and company level, adding, “That is why Qualys is committed to supporting MITRE and the wider security community, and we are actively collaborating with industry partners to identify and pursue sustainable funding options that will help maintain MITRE’s vital work.”
From Government Program to Independent Entity?
Prior to the contract extension, some CVE board members floated the idea of spinning off the CVE initiative into a nonprofit foundation, essentially detaching it from its government contract and giving it a more independent and sustainable operating model.
According to the CVE Foundation’s letter, that idea is still in discussion, though the immediate crisis may have bought some time for further planning. However, this isn’t the first time the community has expressed concern about the fragility of such an essential system being tied to federal contracting cycles. Critics argue that a single point of failure, such as a delayed or dropped contract, shouldn’t be able to threaten global vulnerability disclosure coordination.
What’s Next?
Now that MITRE’s contract has been extended for 11 months, the CVE program isn’t facing an immediate threat. Still, the situation has prompted useful conversations about how essential cybersecurity infrastructure is supported and whether current funding models are sustainable.
We’ll likely see more industry involvement and interest from both the public and private sectors as people look at how to strengthen the program long term. The bigger question going forward is whether this moment will lead to a more stable setup, one that doesn’t rely so heavily on short-term fixes.