The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025.
According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA’s budget, a structural change that could prevent the kind of dramatic crisis that threatened the system last year.
For roughly a day in 2025, the program that underpins vulnerability management tools, threat intelligence platforms, and patch management systems worldwide appeared headed for an abrupt shutdown. The cybersecurity world was blindsided when MITRE disclosed that its contract with the US Department of Homeland Security to operate the program was set to expire with no renewal in place.
CISA ultimately stepped in at the last minute, issuing an emergency 11-month contract extension that kept the system running but left the global security community bracing for another funding cliff this spring.
Nearly a year later, that stopgap has been replaced by what sources describe as a more durable arrangement. The CVE board was informed during its Jan. 21, 2026, meeting that there would be “no funding cliff in March” and that “ongoing operations and planning extend well beyond that timeframe,” according to meeting minutes later made public.
In a statement, Nick Andersen, acting director of CISA, told CSO, “Under CISA’s leadership and sponsorship, the CVE program is fully funded and has continually evolved and modernized to support the global vulnerability ecosystem.” Jordan Graham, a spokesperson for MITRE, said in a statement that “MITRE, in support of CISA, is committed to CVE as a critical global resource.”
From afterthought to protected program
For longtime vulnerability disclosure advocates, the most important shift may not be the renewal itself but how the funding is structured.
Pete Allor — a CVE board member, veteran cybersecurity professional, and co-founder of the CVE Foundation — said the program historically competed with other initiatives for leftover funds within CISA’s budget.
“What I understand changed is we went from, ‘Hey, out of anything that’s left over, can we fund the CVE program along with a few other things?’ to above that line — it will be funded,” Allor said. “That’s a huge change.”
In practical terms, that shift appears to elevate the vulnerability cataloging program from a discretionary item that could be squeezed out by competing priorities into a core operational program.
The improved funding outlook has also prompted the CVE Foundation — created during last year’s uncertainty to explore alternative governance models — to reassess its next steps. “Why wrestle the horse to the ground when I can use it bridled?” Allor said.
Transparency questions remain
Despite the apparent funding stability, the contract itself remains largely opaque — even to members of the CVE board.
A source close to the CVE program, who requested anonymity to preserve working relationships with CISA and MITRE, described the agreement as reassuring but lacking transparency.
“It’s a mystery contract with a mystery number that has been agreed to and passed,” the source said. “The good news is people don’t have to worry. But now that they don’t have to worry, now is the time to ask the hard questions.”
Those questions include how the program will be modernized, how its performance will be measured, and whether its governance structure should evolve.
In his statement to CSO, CISA’s Andersen said, “CISA, in collaboration with the global cybersecurity community, is committed to enhancing data quality, modernizing infrastructure and services, improving governance processes with more diverse representation, among other lines of effort.”
One CVE board member has repeatedly requested access to the MITRE-CISA contract at successive board meetings, according to people familiar with the discussions. MITRE has declined those requests, citing legal protections around the agreement between the two organizations. A separate Freedom of Information Act request for the contract has also gone unanswered.
“If you’re saying you’re doing it for the public good and the greater good, it’s incumbent upon you to say how you are measuring good,” Allor said. “That’s an open question, and it can’t be secret.”
The CVE board itself — expanded to 24 members in recent years — functions largely as an advisory body, while MITRE retains final decision-making authority over program operations.
Global alternatives begin to emerge
The near-collapse of the CVE program last year triggered a wave of contingency planning across the cybersecurity ecosystem.
The CVE Foundation began exploring governance models that would reduce reliance on a single US government funding source. At the same time, the European Union Agency for Cybersecurity began developing its own vulnerability identification framework, which has since launched.
An ENISA spokesperson said the agency remains committed to the CVE ecosystem but does not have visibility into the program’s funding arrangements. “ENISA is part of the CVE Program and remains committed to contributing to the global CVE community and supporting coordinated vulnerability management,” the agency said in a statement.
Private-sector organizations also took steps to hedge against potential disruption. Vulnerability intelligence firm VulnCheck, for example, reserved blocks of CVE identifiers to ensure continuity if the numbering system faltered.
Even with the funding scare resolved, those efforts are unlikely to disappear. Structural concerns about governance and long-term independence continue to drive interest in complementary or alternative systems.
Some European stakeholders, in particular, remain uneasy about a critical piece of global cybersecurity infrastructure depending on a single US government contract.
“There are some European people who don’t want to point their technical data directly at a US-funded government thing,” the source familiar with the CVE program said. Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE.
Allor said he expects CISA to expand its international engagement around the program in the coming months in response to those concerns. “I think there are countries within the EU, and I know of at least three countries external to the EU that were complaining about it,” he said. “I think the folks at CISA heard that loudly.”
Last September, CISA outlined its “vision” for the CVE program, pledging to strengthen international partnerships and improve representation of governments and organizations outside the United States — a signal of renewed commitment following last year’s scare.
A warning the industry won’t forget
Even as the immediate funding crisis fades, the institutional environment surrounding CISA remains unsettled. The agency has faced budget cuts, leadership turnover, and staff reductions, and it has gone more than a year without a Senate-confirmed director.
For now, however, the vulnerability catalog that serves as the cybersecurity industry’s common language remains funded and operational.
But the events of last year revealed how dependent the global security ecosystem has become on a single US government contract — and sparked a broader debate about whether the governance and funding of such critical infrastructure should be more transparent, more international, and less fragile.