The federal cybersecurity agency discloses it will ensure the funding continues to flow to the Common Vulnerabilities and Exposures (CVE) program.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed Wednesday it will ensure the funding continues to flow to the Common Vulnerabilities and Exposures (CVE) program.
Not-for-profit organization Mitre had said that federal funding would run out Wednesday for its role in operating the CVE program, a key system for vulnerability management that is utilized across both industry and the public sector.
The “current contracting pathway” for Mitre’s work on the CVE program had been set to expire Wednesday, potentially leading to a “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” a Mitre executive told CVE board members in a letter.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
CISA released a statement Wednesday saying it will extend the funding for the CVE program, calling it “invaluable to the cyber community and a priority of CISA.”
“Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services,” the agency said in the statement.
A new organization, the CVE Foundation, has now been launched to “ensure the long-term viability, stability, and independence” of the CVE program, the organization said in a post.
The organization will “focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide,” the post said.
“Over the coming days, the Foundation will release more information about its structure, transition planning, and opportunities for involvement from the broader community,” the organization said in the post.
A statement from a Mitre executive applauded the CISA action Wednesday.
“Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided,” said Yosry Barsoum, vice president and director for the Center for Securing the Homeland at Mitre, in the email statement.
By Wednesday morning, CISA had “identified incremental funding to keep the Programs operational,” Barsoum said in the statement. “We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources.”
