{"id":2782,"date":"2025-04-16T15:07:50","date_gmt":"2025-04-16T15:07:50","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2782"},"modified":"2025-04-16T15:07:50","modified_gmt":"2025-04-16T15:07:50","slug":"cve-program-averts-swift-end-after-cisa-executes-11-month-contract-extension","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2782","title":{"rendered":"CVE program averts swift end after CISA executes 11-month contract extension"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Important update April 16, 2025:\u00a0<\/strong>Since this story was first published, CISA signed a contract\u00a0extension that averts a shutdown of the MITRE CVE program.<\/em><\/p>\n

A CISA spokesperson sent CSO a statement saying, \u201cThe CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners\u2019 and stakeholders\u2019 patience.\u201d Sources say the contract extension will last 11 months.<\/em><\/p>\n

Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, commented: \u201cThanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE\u00ae) Program and the Common Weakness Enumeration (CWE\u2122) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE\u2019s role in the program and MITRE remains committed to CVE and CWE as global resources.\u201d<\/em><\/p>\n

April 15, 2025:<\/strong> In a stunning development that demolishes a cornerstone of cybersecurity defense, nonprofit R&D organization MITRE said that its contract with the Department of Homeland Security (DHS) to maintain the Common Vulnerabilities and Exposures (CVE) database, which organizes computer vulnerabilities, will expire at midnight on April 16.<\/p>\n

Yosry Barsoum, vice president and director of the Center for Securing the Homeland at MITRE, wrote in a missive to the CVE board, \u201cOn Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE\u00ae) Program and related programs, such as the Common Weakness Enumeration (CWE\u2122) Program, will expire. The government continues to make considerable efforts to support MITRE\u2019s role in the program, and MITRE remains committed to CVE as a global resource.\u201d<\/p>\n

End of CVE program seen as \u2018tragic\u2019<\/h2>\n

Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as \u201ctragic,\u201d a sentiment echoed by many cybersecurity and CVE experts reached for comment.<\/p>\n

\u201cCVE naming and assignment to software packages and versions are the foundation upon which the software vulnerability ecosystem is based,\u201d Romanosky said. \u201cWithout it, we can\u2019t track newly discovered vulnerabilities. We can\u2019t score their severity or predict their exploitation. And we certainly wouldn\u2019t be able to make the best decisions regarding patching them.\u201d<\/p>\n

Ben Edwards, principal research scientist at Bitsight, told CSO, \u201cMy reaction is sadness and disappointment. This is a valuable resource that should absolutely be funded, and not renewing the contract is a mistake.\u201d<\/p>\n

He added \u201cI am hopeful any interruption is brief and that if the contract fails to be renewed, other stakeholders within the ecosystem can pick up where MITRE left off. The federated framework and openness of the system make this possible, but it\u2019ll be a rocky road if operations do need to shift to another entity.\u201d<\/p>\n

MITRE\u2019s CVE program foundational to cybersecurity<\/h2>\n

MITRE\u2019s CVE program<\/a> is a foundational pillar of the global cybersecurity ecosystem and is the de facto standard for identifying vulnerabilities and guiding defenders\u2019 vulnerability management programs. It provides foundational data to vendor products across vulnerability management, cyber threat intelligence, security information, event management, and endpoint detection and response.<\/p>\n

Although the National Institute of Standards and Technology (NIST) enriches the MITRE CVE records with additional information through its National Vulnerability Database<\/a> (NVD), and CISA has helped enrich MITRE\u2019s CVE records with its \u201cvulnrichment<\/a>\u201d program due to funding shortfalls in the NVD program<\/a>, MITRE is the originator of the CVE records<\/a> and serves at the primary source for identifying security flaws.<\/p>\n

\u201cIf MITRE\u2019s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale,\u201d Brian Martin, vulnerability historian, CSO of the Security Errata project, and former CVE board member, wrote<\/a> on LinkedIn.<\/p>\n

\u201cFirst, the federated model and CVE Numbering Authorities (CNA) can no longer assign IDs and send info to MITRE for quick publication. Second, all of that is the foundation for the National Vulnerability Database (NVD), which is already beyond struggling, with a backlog of over 30,000 vulnerabilities and the recent announcement of over 80,000 \u2018deferred\u2019 (meaning will not be fully analyzed by their current standards).\u201d<\/p>\n

Martin added, \u201cThird, every company that maintains \u2018their own vulnerability database\u2019 that is essentially lipstick on the CVE pig will have to find alternate sources of intelligence. Fourth, national vulnerability databases like China\u2019s and Russia\u2019s, among others, will largely dry up (Russia more than China). Fourth [sic], hundreds, if not thousands, of National \/ Regional CERTs around the world, no longer have that source of free vulnerability intelligence. Fifth [sic], every company in the world that relied on CVE\/NVD for vulnerability intelligence is going to experience swift and sharp pains to their vulnerability management program.\u201d<\/p>\n

Why is the contract ending?<\/h2>\n

It\u2019s unclear what led to DHS\u2019s decision to end the contract after 25 years of funding the highly regarded<\/a> program. The Trump administration, primarily through Elon Musk\u2019s Department of Government Efficiency initiative, has been slashing government spending across the board, particularly at the Cybersecurity and Infrastructure Security Agency (CISA), through which DHS funds the MITRE CVE program.<\/p>\n

Although CISA has already been through two funding cuts, press reports suggest that nearly 40% of the agency\u2019s staff, or around 1,300 employees, are still slated<\/a> for termination. However, sources say that compared to the budget cuts made elsewhere in the federal government, the expense of running the CVE program are minor and \u201cwon\u2019t break the bank.\u201d<\/p>\n

What happens next?<\/h2>\n

Sources close to the CVE program say that starting at midnight on April 16, MITRE will no longer add records to its CVE database. However, historical CVE records will be available on GitHub<\/a>.<\/p>\n

The real question is whether a private sector alternative to MITRE\u2019s program emerges.<\/p>\n

\u201cIt\u2019s difficult to speculate on what services could be impacted reading the note from MITRE,\u201d Patrick Garrity, a security researcher at threat intelligence firm Vulncheck, told CSO. \u201cThe current vulnerability ecosystem is fragile after seeing NIST NVD\u2019s failure last year, and any impacts to the CVE Program could have detrimental impacts on defenders and the security community. VulnCheck remains committed to helping fill any gaps that might arise.\u201d<\/p>\n

Garrity posted on LinkedIn<\/a>, \u201cGiven the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,\u201d adding that Vulncheck \u201cwill continue to provide CVE assignments to the community in the days and weeks ahead.\u201d<\/p>\n

A CISA spokesperson told CSO, \u201cCISA is the primary sponsor for the Common Vulnerabilities and Exposure (CVE) program, which is used by government and industry alike to disclose, catalog, and share information on\u00a0technology vulnerabilities that can put the nation\u2019s critical infrastructure at risk.\u00a0 Although CISA\u2019s contract with the MITRE Corporation will lapse after April 16, we are\u00a0urgently\u00a0working to\u00a0mitigate impact and to maintain CVE services\u00a0on which global stakeholders rely.\u201d<\/p>\n

This article was originally published April 15, titled \u201cCVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo.\u201d It has been updated to reflect the latest announcements about CVE.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Important update April 16, 2025:\u00a0Since this story was first published, CISA signed a contract\u00a0extension that averts a shutdown of the MITRE CVE program. A CISA spokesperson sent CSO a statement saying, \u201cThe CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to […]<\/p>\n","protected":false},"author":0,"featured_media":2780,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2782","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2782"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2782"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2782\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2780"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}