{"id":800,"date":"2025-04-16T15:01:41","date_gmt":"2025-04-16T15:01:41","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4302130"},"modified":"2025-04-16T15:01:41","modified_gmt":"2025-04-16T15:01:41","slug":"possible-national-security-crisis-averted-cisas-reversal-extends-support-for-cve-database","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/04\/16\/possible-national-security-crisis-averted-cisas-reversal-extends-support-for-cve-database\/","title":{"rendered":"Possible National Security Crisis Averted: CISA\u2019s Reversal Extends Support for CVE Database"},"content":{"rendered":"
\"Visualization
Image: CROCOTHERY\/Adobe Stock<\/figcaption><\/figure>\n

The nonprofit organization MITRE, which maintains the Common Vulnerabilities and Exposures (CVE) database, said on April 15 that the US government funding for its operations will expire without renewal; however, in a last-minute reversal announced the morning of April 16, CISA said it has extended support for the database<\/a>. At the same time, CVE Board members have founded the CVE Foundation, a nonprofit not affiliated with the US federal government, to maintain the CVE program.<\/p>\n

The CVE program, which has been in place since 1999, is an essential way to report and track vulnerabilities. Many other cybersecurity resources, such as Microsoft\u2019s Patch Tuesday<\/a> update and report, refer to CVE numbers to identify flaws and fixes. Organizations called CVE Numbering Authorities are associated with MITRE and authorized to assign CVE numbers.<\/p>\n

\u201cCVE underpins a huge chunk of vulnerability management, incident response, and critical infrastructure protection efforts,\u201d wrote Casey Ellis, founder of crowdsourced cybersecurity hub Bugcrowd, in an email to TechRepublic. \u201cA sudden interruption in services has the very real potential to bubble up into a national security problem in short order.\u201d<\/p>\n

<\/span>Funds were expected to run out on MITRE without renewal<\/span><\/h2>\n

A letter sent to CVE board members<\/a> began circulating on social media on Tuesday.<\/p>\n

\u201cCurrent contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,\u201d said the letter from Yosry Barsoum, vice president and director of the Center for Securing the Homeland, a division of MITRE.<\/p>\n

CWE is Common Weakness Enumeration, the list of hardware and software weaknesses.<\/p>\n

\u201cThe government continues to make considerable efforts to continue MITRE\u2019s role in support of the program,\u201d Barsoum wrote.<\/p>\n

MITRE is traditionally funded by the Department of Homeland Security.<\/p>\n

DOWNLOAD: Protect your company with our premade and customizable network security policy<\/a>. <\/strong><\/p>\n

MITRE did not respond to TechRepublic\u2019s questions about the cause of the expiration or what cybersecurity professionals can expect next.<\/p>\n

The foundation has not specified whether the cut in funding is related to the widespread cull by the Department of Government Efficiency (DOGE).<\/p>\n

<\/span>CVE Foundation has been laying the groundwork for a new system for the past year<\/span><\/h2>\n

Prior to CISA\u2019s announcement, an independent foundation said they were prepared to step in to continue the CVE program. The CVE Foundation is a nonprofit dedicated to maintaining the CVE submission program and database.<\/p>\n