After an abrupt notice of the end of funding for the Common Vulnerabilities and Exposures (CVE) program caused a small panic in the cybersecurity world, it appears that a contract extension option exercised by CISA will keep it safe at least until March 2026. Beyond that, its future is very uncertain.
The non-profit MITRE Corporation (MITRE) has run the CVE program since 1999, and for most of its history it has drawn nearly all of its funding from a Department of Homeland Security contract that expired on April 16. With no word from the current government on intent to continue support for it, and a general federal budget slashing spree underway, the MITRE board has been left discussing ways to decouple the program from the US government and make it more independent.
CVE program caught in wide-ranging round of budget cuts
Recent public contract details indicate that the US government spends about $57.8 million annually on the CVE program. The board appears to have been anticipating political instability and budget cuts even during the Biden administration, indicating that they have been planning for about a year to reorganize the program so that it is backed by other sources and not dependent on one nation for its function.
But exactly how it will be funded after March 2026 remains up in the air. The board has said that it will soon release more details about this reorganization plan, which would see MITRE transition the CVE program to a new entity called the CVE Foundation. It remains unknown if it will seek private funding of some sort; another possibility is seeking funding from a collection of European governments.
Future of CVE program remains unclear
A lack of funding could not only bring the CVE program to a halt, but also the partner “Common Weakness Enumeration” program. All of the existing work is likely safe on GitHub regardless of what happens, but new documentation would cease. MITRE has seen over 440 employees cut from its payroll this year already, largely due to the Trump administration’s wide cutting of budgets across the federal government.
Continued US funding past 2026 is far from off the table, however, as the CVE program has wide bipartisan support and is seen as a very important component of national security. The federal government makes regular use of the CVE database, including for public advisories on emerging threats, which is why it is a little surprising to see it apparently neglected by the current administration.
The administration’s treatment of CISA thus far also does not inspire optimism. Trump seemed to take particular issue with the organization as a partisan force that he believes worked against him getting re-elected by labeling posts from his supporters as “disinformation” and working with social media platforms to suppress them. The administration is reportedly weighing a cut of 1,300 employees from CISA and terminating relationships with 40% of its contractors.
MITRE may also look to AI to reduce costs and bolster labor, as NIST has done. NIST has adopted some AI assistance tools for processing its growing backlog of National Vulnerability Database CVE entries, which it has been falling behind on (due to volume drastically increasing) since last year.
