{"id":15924,"date":"2026-03-09T18:16:01","date_gmt":"2026-03-09T18:16:01","guid":{"rendered":"https:\/\/newestek.com\/?p=15924"},"modified":"2026-03-09T18:16:01","modified_gmt":"2026-03-09T18:16:01","slug":"cve-program-funding-secured-easing-fears-of-repeat-crisis","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15924","title":{"rendered":"CVE program funding secured, easing fears of repeat crisis"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025.<\/p>\n

According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA\u2019s budget, a structural change that could prevent the kind of dramatic crisis that threatened the system last year.<\/p>\n

For roughly a day in 2025, the program that underpins vulnerability management tools, threat intelligence platforms, and patch management systems worldwide appeared headed for an abrupt shutdown. The cybersecurity world was blindsided when MITRE disclosed that its contract with the US Department of Homeland Security to operate the program was set to expire with no renewal in place.<\/p>\n

CISA ultimately stepped in at the last minute,<\/a> issuing an emergency 11-month contract extension that kept the system running but left the global security community bracing for another funding cliff this spring.<\/p>\n

Nearly a year later, that stopgap has been replaced by what sources describe as a more durable arrangement. The CVE board was informed<\/a> during its Jan. 21, 2026, meeting that there would be \u201cno funding cliff in March\u201d and that \u201congoing operations and planning extend well beyond that timeframe,\u201d according to meeting minutes later made public.<\/p>\n

In a statement, Nick Andersen, acting director of CISA, told CSO, \u201cUnder CISA\u2019s leadership and sponsorship, the CVE program is fully funded and has continually evolved and modernized to support the global vulnerability ecosystem.\u201d Jordan Graham, a spokesperson for MITRE, said in a statement that \u201cMITRE, in support of CISA, is committed to CVE as a critical global resource.\u201d<\/p>\n

From afterthought to protected program<\/h2>\n

For longtime vulnerability disclosure advocates, the most important shift may not be the renewal itself but how the funding is structured.<\/p>\n

Pete Allor \u2014 a CVE board member, veteran cybersecurity professional, and co-founder of the CVE Foundation<\/a> \u2014 said the program historically competed with other initiatives for leftover funds within CISA\u2019s budget.<\/p>\n

\u201cWhat I understand changed is we went from, \u2018Hey, out of anything that\u2019s left over, can we fund the CVE program along with a few other things?\u2019 to above that line \u2014 it will be funded,\u201d Allor said. \u201cThat\u2019s a huge change.\u201d<\/p>\n

In practical terms, that shift appears to elevate the vulnerability cataloging program from a discretionary item that could be squeezed out by competing priorities into a core operational program.<\/p>\n

The improved funding outlook has also prompted the CVE Foundation \u2014 created during last year\u2019s uncertainty to explore alternative governance models \u2014 to reassess its next steps. \u201cWhy wrestle the horse to the ground when I can use it bridled?\u201d Allor said.<\/p>\n

Transparency questions remain<\/h2>\n

Despite the apparent funding stability, the contract itself remains largely opaque \u2014 even to members of the CVE board.<\/p>\n

A source close to the CVE program, who requested anonymity to preserve working relationships with CISA and MITRE, described the agreement as reassuring but lacking transparency.<\/p>\n

\u201cIt\u2019s a mystery contract with a mystery number that has been agreed to and passed,\u201d the source said. \u201cThe good news is people don\u2019t have to worry. But now that they don\u2019t have to worry, now is the time to ask the hard questions.\u201d<\/p>\n

Those questions include how the program will be modernized, how its performance will be measured, and whether its governance structure should evolve.<\/p>\n

In his statement to CSO, CISA\u2019s Andersen said, \u201cCISA, in collaboration with the global cybersecurity community, is committed to enhancing data quality, modernizing infrastructure and services, improving governance processes with more diverse representation, among other lines of effort.\u201d<\/p>\n

One CVE board member has repeatedly requested access to the MITRE-CISA contract at successive board meetings, according to people familiar with the discussions. MITRE has declined those requests, citing legal protections around the agreement between the two organizations. A separate Freedom of Information Act request for the contract has also gone unanswered.<\/p>\n

\u201cIf you\u2019re saying you\u2019re doing it for the public good and the greater good, it\u2019s incumbent upon you to say how you are measuring good,\u201d Allor said. \u201cThat\u2019s an open question, and it can\u2019t be secret.\u201d<\/p>\n

The CVE board itself \u2014 expanded to 24 members in recent years \u2014 functions largely as an advisory body, while MITRE retains final decision-making authority over program operations.<\/p>\n

Global alternatives begin to emerge<\/h2>\n

The near-collapse of the CVE program last year triggered a wave of contingency planning across the cybersecurity ecosystem.<\/p>\n

The CVE Foundation began exploring governance models that would reduce reliance on a single US government funding source. At the same time, the European Union Agency for Cybersecurity began developing its own vulnerability identification framework<\/a>, which has since launched<\/a>.<\/p>\n

An ENISA spokesperson said the agency remains committed to the CVE ecosystem but does not have visibility into the program\u2019s funding arrangements. \u201cENISA is part of the CVE Program and remains committed to contributing to the global CVE community and supporting coordinated vulnerability management,\u201d the agency said in a statement.<\/p>\n

Private-sector organizations also took steps to hedge against potential disruption. Vulnerability intelligence firm VulnCheck, for example, reserved blocks<\/a> of CVE identifiers to ensure continuity if the numbering system faltered.<\/p>\n

Even with the funding scare resolved, those efforts are unlikely to disappear. Structural concerns about governance and long-term independence continue to drive interest in complementary or alternative systems.<\/p>\n

Some European stakeholders, in particular, remain uneasy about a critical piece of global cybersecurity infrastructure depending on a single US government contract.<\/p>\n

\u201cThere are some European people who don\u2019t want to point their technical data directly at a US-funded government thing,\u201d the source familiar with the CVE program said. Discussions have reportedly begun about potentially amending the EU\u2019s Cyber Resilience Act<\/a> to reference an identifier managed by ENISA rather than CVE.<\/p>\n

Allor said he expects CISA to expand its international engagement around the program in the coming months in response to those concerns. \u201cI think there are countries within the EU, and I know of at least three countries external to the EU that were complaining about it,\u201d he said. \u201cI think the folks at CISA heard that loudly.\u201d<\/p>\n

Last September, CISA outlined its \u201cvision\u201d for the CVE program, pledging to strengthen international partnerships and improve representation of governments and organizations outside the United States \u2014 a signal of renewed commitment following last year\u2019s scare.<\/p>\n

A warning the industry won\u2019t forget<\/h2>\n

Even as the immediate funding crisis fades, the institutional environment surrounding CISA remains unsettled. The agency has faced budget cuts, leadership turnover, and staff reductions<\/a>, and it has gone more than a year without a Senate-confirmed director<\/a>.<\/p>\n

For now, however, the vulnerability catalog that serves as the cybersecurity industry\u2019s common language remains funded and operational.<\/p>\n

But the events of last year revealed how dependent the global security ecosystem has become on a single US government contract \u2014 and sparked a broader debate about whether the governance and funding of such critical infrastructure should be more transparent, more international, and less fragile.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025. According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA\u2019s budget, a structural change that could… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15924","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15924"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15924\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}