Skip to main content
close search
site logo

Mitre CVE program regains funding as renewal deal reached

The information security industry feared a lapse would lead to industrywide exposures of software vulnerabilities.

Published April 16, 2025
David Jones's headshot
Reporter
Smiling businesswoman in headphones taking notes, working with laptop and talking smartphone, blue glowing information protection icons. Padlock, cloud and digital interface. Cyber security concept - stock photo
iStock via Getty Images

The Cybersecurity and Infrastructure Security Agency said it reached an agreement to renew funding for a software vulnerability program that is used by the information security community to address security flaws.

The funding will be restored for a period of 11 months, according to officials familiar with the decision. 

Mitre Corp. on Tuesday had warned that funding to operate the Common Vulnerabilities and Exposures program would expire as of today. The government-funded program has been a critical part of how the cybersecurity community keeps track of software flaws that are at risk of being exploited by adversaries, including criminal and state-linked threat groups. 

The lapse was previously disclosed Tuesday in a letter to CVE board members and later confirmed to Cybersecurity Dive in a statement from Yosry Barsoum, vice president and director of the Center for Securing the Homeland.

"On Wednesday, April 16, 2025, funding for Mitre to develop, operate, and modernize the Common Vulnerabilities and Exposures Program and related programs, such as the Common Weakness Enumeration Program, will expire,” Barsoum said in the statement before the funding agreement was reached. “The government continues to make considerable efforts to support MITRE's role in the program and MITRE remains committed to CVE as a global resource."

The software industry rose up in protest Tuesday, fearing the funding expiration would potentially cripple a process that has already been dealing with a massive backlog of vulnerabilities that have yet to be properly analyzed and remediated.

“The CVE Program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson told Cybersecurity Dive via email Wednesday. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.”

Information security experts had warned Tuesday that a lapse in funding could have resulted in massive delays in vulnerability disclosures and left open a wide window for exploitation of software flaws. 

“This would delay vulnerability disclosures and affect coordinated disclosure timelines,” said Tim Peck, senior threat researcher at Securonix. “Notes on patching and remediations could be delayed offering a greater window of time to attackers to engage in exploitation.”

It’s unclear what specifically took place between the original warning about the funding lapse from Mitre and CISA’s decision to restore the funding.

Editors' picks

Company Announcements

View all | Post a press release
12th Annual Edition of the BeyondTrust Microsoft Vulnerabilities Report Reveals Record-Breakin…
From BeyondTrust
April 15, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
From Balakot to Global Fame: Shahzaib Shah Leads Cybersecurity With Bold Discoveries
From SS Support
April 15, 2025
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.