Trump administration decides to fund CVE cybersecurity tracker after all

The Common Vulnerabilities and Exposures (CVE) program will receive continued funding from the government. According to a statement provided to The Verge by US Cybersecurity and Infrastructure Agency (CISA) spokesperson Jared Auchey, the agency has exercised the option to extend the contract to ensure uninterrupted critical CVE services.

MITRE, the organization responsible for managing the CVE program, had previously warned that their contract was scheduled to expire on April 16th. The CVE program plays a crucial role for major companies such as Microsoft, Apple, Google, and Intel in identifying and monitoring cybersecurity vulnerabilities worldwide.

In response to the contract expiration, members of the CVE board have announced plans to transform the program into a nonprofit foundation. The focus will be on sustaining the delivery of top-quality vulnerability identification and ensuring the integrity of CVE data for global defenders.

Yosry Barsoum, MITRE’s vice president and director at the Center for Securing the Homeland, confirmed that the organization managed to avoid any disruption in service due to the government’s contract extension. He mentioned that additional funding was secured by CISA to sustain the program’s operations.

While the CVE Foundation has promised more information in the upcoming days, it remains uncertain whether the foundation will proceed now that the government has prolonged its contract with MITRE. The reasons for the delayed contract extension by CISA are unclear, but it coincides with ongoing budget cuts affecting various federal agencies.

Auchey emphasized the significance of the CVE Program to the cybersecurity community, stating that it remains a top priority for CISA. He expressed gratitude for the patience shown by partners and stakeholders during this period.

Update, April 16th: Added a statement from MITRE.