In a critical last-minute effort just before a pivotal contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency (CISA) has renewed its funding for the renowned software-vulnerability-tracking initiative known as the Common Vulnerabilities and Exposures (CVE) Program. This program, managed by the nonprofit research-and-development organization MITRE, plays an essential role in global cybersecurity, offering invaluable data and services crucial for both digital defense and research efforts.

The governance of the CVE Program is overseen by a board that outlines objectives and priorities which MITRE executes using funding provided by CISA. A representative from CISA confirmed on Wednesday that the contract with MITRE has been extended for an additional 11 months. The CVE Program is invaluable to the cyber community and represents a key priority for CISA, the spokesperson stated. Last night, we executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate the patience of our partners and stakeholders during this time of uncertainty.

Yosry Barsoum, who serves as the vice president and director of the Center for Securing the Homeland at MITRE, emphasized the urgency of CISA's decision in a statement Wednesday. CISA identified incremental funding to keep the Programs operational, he noted. However, as the deadline loomed, members of the CVE Program's board began crafting plans to transition the initiative into a new nonprofit entity known as the CVE Foundation.

The CVE Foundation's statement outlined that, Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the programs growth, it has also raised long-standing concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor. This sentiment became increasingly pressing after an April 15, 2025, letter from MITRE, which indicated that the US government would not seek to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility, the Foundation added.

Currently, it remains unclear which members of the existing CVE board are involved in the new initiative, aside from Kent Landfield, a seasoned cybersecurity professional quoted in the CVE Foundation's statement. The Foundation has not yet responded to requests for further comments.

When approached for clarification on the uncertainty surrounding the CVE Programs contract renewal and whether it was influenced by recent budget reductions initiated by the Trump administration, CISA did not provide a response to inquiries from WIRED.

Researchers and cybersecurity experts expressed relief on Wednesday, recognizing that the CVE Program had not abruptly ended amid the unpredictable landscape of US federal funding. Many observers also exhibited cautious optimism regarding the potential for the CVE Program to evolve into a more resilient entity, independent from reliance on any single government or funding source.

Patrick Garrity, a security researcher at VulnCheck, underscored the importance of the CVE Program, stating, The CVE Program is critical, and its in everyones interest that it succeed. Nearly every organization and every security tool is dependent on this information, and its not just the US. Its consumed globally. So it's really, really important that it continues to be a community-provided service, and we need to figure out what to do about this because losing it would pose a risk to everyone.

Federal procurement records indicate that the operational costs for running the CVE Program reach into the tens of millions of dollars per contract. However, experts contend that these expenses seem trivial when juxtaposed against the potential financial and security losses stemming from a single cyberattack exploiting unpatched software vulnerabilities.

Despite the last-minute funding provided by CISA, the long-term future of the CVE Program continues to remain uncertain. As one source, who requested to remain anonymous due to their status as a federal contractor, articulated, It's all so stupid and dangerous.