In an eleventh competition before an important contract was set expired on Tuesday night, the US cyber infrastructure and security agency has extended its sponsorship for a long -term software vulnerability project called the exposure program and a common gap. Managed by the Miter non -profit research and development team, the CVE program is a global cybersecurity linchpin that provides important data and services for digital defense and research.
The CVE program is adjusted by a council that sets a agenda and priorities for Miter to implement by using CISA's sponsorship. A CISA spokesman said on Wednesday that the contract with Miter was being extended for 11 months. The CVE program is invaluable for the online community and the priority of CISA, they said in a statement. Last night, CISA performed the optional phase in the contract to ensure no errors in important CVE services. We appreciate the patience of partners and stakeholders.
Vice President and Director of the Homeland Protection Center, Yosry Barsoum, said in a statement on Wednesday that CISA determined to increase funding to keep the programs operating. However, the clock decreases before this decision is made New profit organization The entity is called the CVE fund.
Since its inception, the CVE program has been active as an initiative sponsored by the US government, with supervision and management provided under a contract. While this structure has supported the growth of the program, it has also increased long -term concerns among members of the CVE Council for sustainability and neutrality of a global -based resource. This concern has become urgent after a letter on April 15, 2025 from Miter informing the CVE Council that the US government has no intention of renewing the contract to manage the program. While we hope this day will not come, we have prepared for this possibility.
Unknown who Table CVE current Linking with the new initiative outside Kent Landfield, a long -term network security industry member, who is cited in the CVE Foundation statement. The CVE fund did not return immediately to comment.
CISA did not answer questions from Wired about why the CVE program's fate contract was suspected and whether it was relevant to the recent budget reduction that was sweeping the federal government in accordance with the Trump government.
Researchers and cybersecurity experts felt relieved on Wednesday that the CVE program did not suddenly exist due to the results of unprecedented instability in the Federal Federal Federation. And many observers have expressed their caution that the final incident can make the CVE more resilient if transformed into an independent entity regardless of sponsor from any government or another source.
Patrick Garrity, a security researcher at Vulncheck. Nearly every organization and security tools depend on this information and it is not only the United States, but it is consumed globally. Therefore, really, it is really important that it continues to be a service provided by the community and we need to find what to do about this because it will be a risk for everyone.
Federal shopping records indicate That it costs tens of millions of dollars for each contract to run the CVE program. But in the diagram of losses may occur From a single cyber attack to exploit unprocessed software gaps, experts told Wired, operating costs seemed not significant compared to the benefits of the US defense.
Despite financing at the last minute of CISA, the future of the CVE program is still unclear for a long time. As a source, the person who asked for anonymous because they were a federal contractor, put it: all were very stupid and dangerous.