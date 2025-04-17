In a dramatic turn of events, the US Cybersecurity and Infrastructure Security Agency (CISA) has stepped in to save the Common Vulnerabilities and Exposures (CVE) Program from potential disruption, announcing an 11-month contract extension just in time. The move has breathed new life into the critical vulnerability tracking initiative, ensuring its continued operation and averting a potentially disastrous disruption to the global cybersecurity landscape. On April 15, the cybersecurity community discovered in a letter signed by Yosry Barsoum, vice president of MITRE a US-based non-profit, that the US government was not going to renew the organization’s contract to manage the CVE and Common Weakness Enumeration (CWE) programs. The contract was set to expire on April 16.

The CWE program is a companion initiative to the CVE program, providing a standardized catalog of software weaknesses and vulnerabilities that can be used to understand and mitigate the root causes of the vulnerabilities identified by CVE. The MITRE has been running both programs for 25 years, helping the security community manage and mitigate software vulnerabilities, while providing critically important information to power threat intelligence, detection and response and other products. A publication based in the US state of Virginia, Virginia Business, reported that MITRE said earlier this month that it would be laying off some 442 staff after the Trump administration's Department of Government Efficiency (DOGE) canceled more than $28m in MITRE contracts. An 11-Month Extension to MITRE’s CVE and CWE Contract On April 16, a CISA spokesperson announced that the agency had exercised the option period of its contract with MITRE to "ensure there will be no lapse in critical CVE services." "The CVE Program is invaluable to the cyber community and a priority of CISA. We appreciate our partners' and stakeholders' patience,” the spokesperson added.

CISA's official statement confirming MITRE's contract extension for the CVE program. Source: US Cybersecurity and Infrastructure Security Agency