The MITRE Corporation said on Tuesday that its stewardship of the CVE program — which catalogs all public cybersecurity vulnerabilities — may be ending this week because the federal government has decided not to renew its contract with the nonprofit. The CVE program was launched in 1999 and has been run by MITRE with funding from the National Cyber Security Division of DHS' Cybersecurity and Infrastructure Security Agency (CISA). “The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Barsoum added. A spokesperson for MITRE said they have been working with government representatives at the Department of Homeland Security (DHS) for several weeks to find a way to move forward with the CVE program. The CVE program — which stands for Common Vulnerabilities and Exposures — is a foundational pillar of the cybersecurity system that countless cybersecurity vendors, governments and critical infrastructure organizations rely on for vulnerability identification. “Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely,” a spokesperson for CISA said. A MITRE spokesperson said once the contract lapses, no new CVEs will be added to the program and the CVE program website online will eventually cease. MITRE is one of the most respected organizations in the cybersecurity field and supports multiple U.S. agencies involved in defense, healthcare, aviation and more. Casey Ellis, founder of cybersecurity firm Bugcrowd, said CVE underpins a huge chunk of vulnerability management, incident response and critical infrastructure protection efforts.
This Cyber News was published on therecord.media. Publication date: Wed, 16 Apr 2025 00:05:18 +0000