MITRE CVE Program Funding at Risk

- The CVE program has been primarily funded by the U.S. Department of Homeland Security (DHS) through the Cybersecurity and Infrastructure Security Agency (CISA). - In April 2025, a letter from MITRE Vice President Yosry Barsoum was leaked, revealing that the government contract to operate the CVE and Common Weakness Enumeration (CWE) programs was set to expire on April 16, 2025. - Following widespread concern from the cybersecurity community, CISA executed an 11-month contract extension at the last minute to avoid a lapse in services, ensuring funding until approximately March 2026. - The contract that was at risk of expiring was valued at approximately $29 million to $40 million, awarded to MITRE to manage and modernize the CVE program. - In response to the funding instability, a coalition of CVE Board members established the non-profit CVE Foundation to ensure the long-term viability and independence of the program, aiming to diversify its funding sources beyond a single government sponsor. - A disruption in the CVE program could lead to significant delays in vulnerability disclosures, hinder the ability of organizations to prioritize patching, and negatively impact the functionality of security tools that rely on CVE data. - This was not the first instance of the CVE program's budget being left in a state of uncertainty until the last minute, raising long-standing concerns among board members about the sustainability of being tied to a single government contract. - CISA has since released a roadmap acknowledging its leadership role and commitment to modernizing the CVE program, which includes exploring diversified funding mechanisms and expanding community partnerships.