Trump administration decides to fund CVE cybersecurity tracker after all

The US government has decided to fund the Common Vulnerabilities and Exposures (CVE) cybersecurity tracker program after all.
The CVE program, which tracks cybersecurity vulnerabilities globally, was set to expire on April 16th due to its contract with MITRE expiring.
MITRE announced an initiative to make the CVE program a nonprofit foundation, focusing on delivering high-quality vulnerability identification and maintaining data integrity.
The government has renewed its contract with MITRE, ensuring no lapse in critical CVE services, despite a last-minute renewal amid funding cuts and job losses elsewhere in the federal government.
CISA spokesperson Jared Auchey emphasized the importance of the CVE program to the cyber community, stating it is a priority for CISA and appreciates partners’ patience during this transition.

The government will continue funding the Common Vulnerabilities and Exposures (CVE) program. In a statement to The Verge, US Cybersecurity and Infrastructure Agency (CISA) spokesperson Jared Auchey said it “executed the option period on the contract to ensure there will be no lapse in critical CVE services” last night.

On Tuesday, MITRE, the government-funded organization behind the CVE program, warned that its contract to continue managing the system was set to expire on April 16th. The CVE program is used by major companies like Microsoft, Apple, Google, and Intel to identify and track cybersecurity vulnerabilities around the globe.

In response, CVE board members announced an initiative to make the program a nonprofit foundation, saying it will “focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.”

The CVE Foundation said it would share more details “over the coming days,” but it’s not clear whether it will continue now that the government has renewed its contract with MITRE. Though CISA doesn’t say why it waited so long to extend its contract, the last-minute renewal comes as DOGE continues to slash funding and cut jobs throughout the federal government.

“The CVE Program is invaluable to the cyber community and a priority of CISA,” Auchey said. “We appreciate our partners’ and stakeholders’ patience.”

link

Q. Why did the Trump administration decide to fund the CVE cybersecurity tracker?

A. The government decided to continue funding the CVE program after MITRE, the organization behind the program, warned that its contract was set to expire.

Q. What is the CVE program used for?

A. The CVE program is used by major companies like Microsoft, Apple, Google, and Intel to identify and track cybersecurity vulnerabilities around the globe.

Q. Who announced an initiative to make the CVE program a nonprofit foundation?

A. The CVE board members announced an initiative to make the program a nonprofit foundation.

Q. What was the purpose of the CVE Foundation’s announcement about sharing more details?

A. The CVE Foundation said it would share more details “over the coming days” but did not specify what those details would be.

Q. Why did CISA wait so long to extend its contract with MITRE?

A. It is not clear why CISA waited so long to extend its contract, but the last-minute renewal comes as the federal government continues to slash funding and cut jobs.

Q. What was the reaction of Jared Auchey, a spokesperson for US Cybersecurity and Infrastructure Agency (CISA)?

A. Auchey said that the CVE program is “invaluable to the cyber community and a priority of CISA” and expressed appreciation for partners’ and stakeholders’ patience.

Q. Who are some of the major companies that use the CVE program?

A. Some of the major companies that use the CVE program include Microsoft, Apple, Google, and Intel.

Q. What is the current status of the CVE contract with MITRE?

A. The CVE contract with MITRE was renewed after it expired on April 16th, but the details of the renewal are not yet clear.

Q. Why is the CVE program important to CISA?

A. According to Auchey, the CVE Program is “a priority of CISA” and is invaluable to the cyber community.