CISA announced on April 16th via their official website that they had executed the option period on the CVE Program contract to prevent any lapse in critical services, stating:
The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.
CVE and CWE Programs Face Critical Disruption Amid Government Contract Lapse
Today marks a potentially devastating turning point in global cybersecurity coordination, as funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs—cornerstones of vulnerability tracking—officially expires.
According to a letter sent by MITRE Vice President Yosry Barsoum to CVE Board members, the U.S. Department of Homeland Security (DHS) has not yet renewed or extended the contract under which MITRE operates these programs.
“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum stated.
The warning has triggered alarm across the cybersecurity industry, as CVE is the global backbone for tracking security vulnerabilities, and any service disruption could cripple national and international threat intelligence, vulnerability management, and incident response operations.
Letter to CVE Board (Tib3rius)
The CVE program, launched in 1999, provides a shared language and framework for identifying, labeling, and tracking vulnerabilities across all platforms and sectors.
MITRE also acts as the Primary CVE Numbering Authority (CNA) and oversees dozens of CNAs globally that assign CVEs to newly discovered vulnerabilities.