Following a wave of security-pro support, nonprofit org Mitre announced today that its Common Vulnerabilities and Exposures (CVE) program has funding—for now, at least.
“The CVE site will not be going down today,” Mitre media spokesperson Lisa Fasold told IT Brew on April 16.
The news arrives after a government memo this week put the fate of one of cybersecurity’s most valuable resources—a massive catalog of existing software flaws often called the CVE—into question.
An internal message to a CVE board member, revealed on April 15, stated that the contracting path for the program would expire on April 16.
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational,” Yosry Barsoum, VP and director for the Center for Securing the Homeland at Mitre, shared in an emailed statement with us.
What exactly is “incremental,” and can security pros be assured that the site will remain months from now? Fasold referred the question to CISA.
“The CVE Program is invaluable to the cyber community and a priority of CISA. Last night [April 15], CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” CISA External Affairs Specialist Antonio Soliz shared in an email with IT Brew.
Publications have reported that the contract extension between CISA and Mitre extends for 11 months.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We and the government are both actively working to keep the program going. We realize its value to the cyber community, and it definitely has enough support from the cyber community overall to keep going,” Fasold told us.
What is the CVE? The CVE Program, launched in 1999, identifies and enumerates publicly disclosed cybersecurity vulnerabilities. Security professionals can submit a vulnerability; Mitre assigns it a number if the find is, in fact, a flaw. The CVE records often link to relevant advisories and additional mitigation resources.
“Any organization that cares about security globally is consuming CVE information, as it’s a common way to talk about a vulnerability,” Patrick Garrity, security researcher at VulnCheck, told IT Brew.
There are currently over 275,000 CVE records.
The CVE program also supports CVE number authorities—vendors, researchers, and bug bounty providers that reach CVE IDs within their own specific coverage scopes.
Former CISA director Jen Easterly thinks of the CVE as cybersecurity’s Dewey Decimal System. In an April 15 LinkedIn note, Easterly wrote that without the database “everyone is using a different catalog or no catalog at all.”
Fasold said the enthusiasm of security pros played a role in continued funding.
“We all realize how important it is to the industry and not just to the cyber community, but basically our national security, to our military, to academia, to every part of the critical infrastructure to keep CVE going,” Fasold said.