The US government’s cybersecurity agency CISA says there will be no lapse in critical CVE services provided by the MITRE Corporation.
Just hours after the MITRE Corporation warned that the expiration of federal funding for the CVE Program would cause major disruptions, CISA announced it has “executed the option period on the contract” to keep the vulnerability catalog operational.
“The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience,” the agency said in a brief statement.
According to public documentation, the $29 million contract was awarded sole source to The MITRE Corporation because the government believes the CVE database curation is critical for industrial mobilization or is essential R&D work.
It is not quite clear the duration of the contract option or whether long-term funding is in the cards.
As the news reverberated through the cybersecurity industry, several new organizations emerged with promises to keep the CVE program operational.
The CVE program was created to catalog publicly disclosed cybersecurity vulnerabilities and is considered a vital part of the vulnerability disclosure and documentation process used by hackers, vendors, and organizations to share accurate and consistent information about cybersecurity risks. Maintained by MITRE Corporation, the CVE program is funded through multiple channels, including the U.S. government, industry partnerships, and international organizations.
On Tuesday, MITRE sounded a cautionary warning that funding uncertainties may lead to the disruption and “deterioration” of the CVE program.
In a letter to the CVE board, VP and Director at MITRE’s Center for Securing the Homeland Yosry Barsoum said the contract with the US government to manage the program was set to expire on April 16 with no word on funding moving forward.
“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, slowed vendor reaction, limited response operations, and all manner of critical infrastructure,” Barsoum said.
In tandem, the National Institute of Standards and Technology (NIST) continues to struggle to clear the growing backlog of CVEs in the official National Vulnerability Database (NVD).
According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
“We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.
Related: MITRE Warns CVE Program Faces Disruption Over Funding Uncertainty
Related: NIST Struggling to Clear Vuln Submissions Backlog in NVD
Related: MITRE Updates List of 25 Most Dangerous Software Vulnerabilities
Related: MITRE Announces AI Incident Sharing Project
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth