MITRE warns of lapse with CVE program as contract with US set to expire

The MITRE Corporation said on Tuesday that its stewardship of the CVE program — which catalogs all public cybersecurity vulnerabilities — may be ending this week because the federal government has decided not to renew its contract with the nonprofit.

Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland, told Recorded Future News in a statement that on Wednesday, April 16, funding to “develop, operate, and modernize the [CVE] Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.”

A MITRE spokesperson said once the contract lapses, no new CVEs will be added to the program and the CVE program website online will eventually cease. MITRE said historical CVE records will be available on GitHub.

The CVE program — which stands for Common Vulnerabilities and Exposures — is a foundational pillar of the cybersecurity system that countless cybersecurity vendors, governments and critical infrastructure organizations rely on for vulnerability identification.

“The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource,” Barsoum added. 

A spokesperson for MITRE said they have been working with government representatives at the Department of Homeland Security (DHS) for several weeks to find a way to move forward with the CVE program.

The CVE program was launched in 1999 and has been run by MITRE with funding from the National Cyber Security Division of DHS' Cybersecurity and Infrastructure Security Agency (CISA).

CISA said in a statement that it is “the primary sponsor for the CVE program.”

“Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely,” a spokesperson for CISA said.

CISA declined to answer multiple questions about why the contract was being cancelled, what would happen when the CVE website contract expires and whether a new vendor would take over MITRE’s work. 

In a letter to CVE program board members on Tuesday, Barsoum warned of the impending expiration and said he anticipated “multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”

None of the CVE Program board members — many of whom work for the federal government and tech giants — responded to requests for comment. 

A source at MITRE, who spoke on condition of anonymity, said DHS and CISA are letting a large number of cyber contracts expire. Last month, CISA announced it would be ending some funding for MS-ISAC and the Election ISAC — pivotal organizations offering cybersecurity assistance to thousands of critical infrastructure organizations across the U.S. 

MITRE is one of the most respected organizations in the cybersecurity field and supports multiple U.S. agencies involved in defense, healthcare, aviation and more. 

Experts were alarmed at the prospect of potentially losing the CVE program as a resource. Casey Ellis, founder of cybersecurity firm Bugcrowd, said CVE underpins a huge chunk of vulnerability management, incident response and critical infrastructure protection efforts. 

“A sudden interruption in services has the very real potential to bubble up into a national security problem in short order,” he said.