In an eleventh-hour scramble before a key contract was set to expire on Tuesday night, the United States Cybersecurity and Infrastructure Security Agency renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program. Managed by the nonprofit research-and-development group MITRE, the CVE Program is a linchpin of global cybersecurity—providing critical data and services for digital defense and research.
The CVE Program is governed by a board that sets an agenda and priorities for MITRE to carry out using CISA’s funding. A CISA spokesperson said on Wednesday that the contract with MITRE is being extended for 11 months. “The CVE Program is invaluable to the cyber community and a priority of CISA,” they said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
MITRE’s vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, though, some members of the CVE Program’s board announced a plan to transition the project into a new nonprofit entity called the CVE Foundation.
“Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. While this structure has supported the program’s growth, it has also raised long-standing concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor,” the Foundation wrote in a statement. “This concern has become urgent following an April 15, 2025, letter from MITRE notifying the CVE Board that the US government does not intend to renew its contract for managing the program. While we had hoped this day would not come, we have been preparing for this possibility.”
It is unclear who from the current CVE board is affiliated with the new initiative other than Kent Landfield, a longtime cybersecurity industry member who was quoted in the CVE Foundation statement. The CVE Foundation did not immediately return a request for comment.
CISA did not respond to questions from WIRED about why the fate of the CVE Program contract had been in question and whether it was related to recent budget cuts sweeping the federal government as mandated by the Trump administration.
Researchers and cybersecurity professionals were relieved on Wednesday that the CVE Program hadn’t suddenly ceased to exist as the result of unprecedented instability in US federal funding. And many observers expressed cautious optimism that the incident could ultimately make the CVE Program more resilient if it transitions to be an independent entity that isn’t reliant on funding from any one government or other single source.
“The CVE Program is critical, and it’s in everyone’s interest that it succeed,” says Patrick Garrity, a security researcher at VulnCheck. “Nearly every organization and every security tool is dependent on this information, and it’s not just the US. It’s consumed globally. So it’s really, really important that it continues to be a community-provided service, and we need to figure out what to do about this, because losing it would be a risk to everyone.”
Federal procurement records indicate that it costs in the tens of millions of dollars per contract to run the CVE Program. But in the scheme of the losses that can occur from a single cyberattack exploiting unpatched software vulnerabilities, experts tell WIRED, the operational costs seem negligible versus the benefit to US defense alone.
Despite CISA’s last-minute funding, the future of the CVE Program is still unclear for the long term. As one source, who requested anonymity because they are a federal contractor, put it: “It’s all so stupid and dangerous.”
