After sending shockwaves through the cybersecurity community on Tuesday night, CISA yesterday announced it has extended its contract with the MITRE-based CVE programme.
After major backlash from the cybersecurity community yesterday, US government funding for nonprofit research organisation MITRE to maintain and develop its critical CVE database of cyber vulnerabilities was extended yesterday.
In a letter leaked Tuesday night on social media, MITRE VP Yosry Barsoum warned of the potential harms that would be caused by a break in service. The Cybersecurity and Infrastructure Security Agency (CISA), whose parent agency funds the contract, initially confirmed that the contract was ending.
MITRE maintains and develops the Common Vulnerabilities and Exposures (CVE) database which aims to identify, define and catalogue publicly disclosed cyber weaknesses, and is widely used by IT administrators to quickly identify various bugs and hacks that are being uncovered every day.
Yesterday (April 16), CISA announced it would be extending the contract for now.
“The CVE program is invaluable to the cybercommunity and a priority of CISA. Last night, CISA executed the option period on the contract to ensure that there will be no lapse in critical CVE services,” read the short statement on the CISA website. “We appreciate our partners’ and stakeholders’ patience.”
The announcement from CISA came just hours after a group from the CVE Board had announced the creation of the CVE Foundation to ensure the future of the CVE. Many in the community were relieved to see that there is a back-up plan, should the current US administration ever pull funding in the future.
“The CVE Foundation has been formally established to ensure the long-term viability, stability and independence of the Common Vulnerabilities and Exposures (CVE) Program, a critical pillar of the global cybersecurity infrastructure for 25 years,” the foundation announced in a press statement on its new website. The foundation was set up by “a coalition of longtime, active CVE Board members”, it said. It is unknown which board members form part of the new foundation, but we do know that Kent Landfield is one of the group, as he is quoted in their official statement.
The CVE statement said that there had been concern at board level for some time that such a critical resource be dependent on government funding, and that it had been working for over a year to put an alternative plan in place to ensure the future of such a critical resource as the CVE.
That very concern was vindicated when on an 15 April a letter from MITRE notified the CVE Board that the government did not intend to renew its contract for managing the program, before a last-minute U-turn saw the contract being extended.
“A coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation,” the foundation statement read. “The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.
“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Landfield, an officer of the foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work – from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”
It now remains to be seen whether the foundation will be required now that CISA has announced the extension. The last-minute reprieve has done little to reassure many in the community.
“This isn’t merely a bureaucratic oversight – it’s a seismic threat to global cybersecurity,” said Adam Khan, VP of global security operations at cybersecurity company Barracuda. “While the extension may provide temporary relief, it is not a substitute for a sustainable solution. If we fail to secure the future of the CVE program, we risk transforming a vital pillar of digital defense into a significant vulnerability.”
He explained why this is such a critical issue: “The CVE program serves as the backbone of vulnerability coordination; without it, defenders fly blind and are left navigating a minefield without a map.”
Crystal Morin, former US Air Force intelligence analyst and current cybersecurity strategist at Sysdig, says the whole incident was extremely disruptive for security professionals.
“The near-instant global outcry from the security community over leaked documentation of US government funding cuts to MITRE’s support of the CVE program underscores just how deeply people depend on it,” she said. “But now that the dust has settled and the threat of loss is behind us, for now, it’s much more obvious that the now-infamous letter felt more performative than productive.
“While it did prove the worldwide importance of MITRE’s support to the community – and went down to the wire as every good security story should – the impact on security teams was huge,” she added.
“It took them away from the real work of security. Some spent hours dissecting the situation and preparing for its potentially negative impact on their organisations, and it pulled them away from the real work of protecting systems and people.”
We have reached out to the new CVE Foundation to see where they go from here, and we’ll keep our readers updated.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
