CVE program gets last-minute funding from CISA – and maybe a new home

In an 11th-hour reprieve, the US government last night agreed to continue funding the globally used Common Vulnerabilities and Exposures (CVE) program.

This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database. That arrangement was due to expire today, but now the money's coming through to continue the crucial service.

"The CVE program is invaluable to the cyber community and a priority of CISA," a spokesperson for the US Cybersecurity and Infrastructure Security Agency, aka CISA, told The Register Wednesday.

"Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners' and stakeholders' patience."

Also in response to long-standing concerns and fresh uncertainty triggered by MITRE yesterday disclosing that federal support was about to end, CVE board members – who guide the direction of the program – today announced the formation of a non-profit foundation.

This new CVE Foundation will "focus solely" on ultimately continuing the program's work of naming and tracking vulnerabilities, and maintaining the database of product security flaws, we're told.

"The formation of the CVE Foundation marks a major step toward eliminating a single point of failure in the vulnerability management ecosystem and ensuring the CVE program remains a globally trusted, community-driven initiative," a statement by the oversight body said.

"Over the coming days, the foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community."

That single point of failure right now is Uncle Sam. CVE has become the world's de facto system for identifying and squashing vulnerabilities in technology products, and it is reliant on federal funding at a time when the Feds are trimming costs, threatening allies, and evaporating America's soft power.

The 25-year-old program serves as the single source of truth for everyone — companies, developers, governments, researchers — working on vulnerability management. While MITRE operates it, the CVE program is sponsored, and largely funded by the CISA, under the umbrella of the US Department of Homeland Security. MITRE has received roughly $30 million since 2023 from Homeland Security to run CVE and associated programs.

News broke yesterday that the program's funding would expire today, and this sparked a great deal of outrage and concern about who or what would fill the impending void in vulnerability management. According to the newly established foundation, it's vital that the CVE program isn't reliant on a government contract to continue:

Now that CISA has extended the contract with MITRE to operate the program for the next 11 months, we wonder what the new foundation's next steps will be. The Register reached out to the organization about this and with other questions regrading the org's members and how its funding will work, and we will update this story if or when we hear back.

• Uncle Sam turns off funding for CVE program. Yes, that CVE program
• MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest
• NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
• As CISA braces for more cuts, threat intel sharing takes a hit

Judging from the community response, there is still at least some momentum to detach CVE from Uncle Sam, as well as questions over how MITRE and Uncle Sam got to this point.

"The announcement by MITRE Corporation that Homeland Security and CISA were not renewing the contract came to many as a complete surprise," said CVE board member Peter Allor, who indicated MITRE knew this day was coming.

"Evidently this situation was known by the three parties for nearly a month."

He added that "it is time for change" to come to the program, and that includes two things. 

"First is that the US government needs to move this out from their sole funding and control for this global and collective problem regarding vulnerabilities and the enumeration of records," Allor wrote.

"Second, the way CISA has not been straight and truthful with the program and notably to the CVE board. This was a game of chicken on who pays."

And despite the continued funding, it looks like the chaos isn't over quite yet.

"The announcement of potential disruption that came out yesterday caused a lot of thrash in a lot of circles, and has ultimately already put a dent in confidence in the CVE process, and several alternative government agencies outside of the USA, as well as a handful of vendors, have already signaled their intention to step up," Bugcrowd founder Casey Ellis told The Register.

"The challenge this creates is split-standards, which work in opposition to the entire purpose of programs like CVE: Creating a single reference-able data key on a per vulnerability basis."

US-based MITRE, meanwhile, sounded jubilant, and thanked the infosec world for its support during this almost-crisis.

“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) program and the Common Weakness Enumeration (CWE) Program has been avoided," MITRE veep Yosry Barsoum told us, adding:

As for where the foundation fits in with MITRE, that appears to be a TBD.

"MITRE remains committed to our nation’s cybersecurity and we will work with our federal sponsors, the CVE board, and the cybersecurity community on considerations for continued financial and community support of the CVE program," a spokesperson said separately. ®