CISA reverses course, extends MITRE CVE contract | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-reverses-course-extends-mitre-cve-contract\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA reverses course, extends MITRE CVE contract\"> <meta property=\"og:description\" content=\"While the last-minute extension averts an immediate lapse in support, rival organizations are being stood up to supplant the global vulnerability system. \"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-reverses-course-extends-mitre-cve-contract\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-16T14:52:52+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-16T14:52:55+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1744740145g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1744729707g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84193\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84193\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-reverses-course-extends-mitre-cve-contract%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-reverses-course-extends-mitre-cve-contract%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84193 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-reverses-course-extends-mitre-cve-contract\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.078358208955\">\n<div class=\"single-article__header-content\" readability=\"30.102766798419\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/cisa-reverses-course-extends-mitre-cve-contract\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> While the last-minute extension averts an immediate lapse in support, rival organizations are being stood up to supplant the global vulnerability system. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"320\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract.jpg?resize=640%2C320&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg 2448w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=300,150 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=768,384 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=1024,512 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=1536,768 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=2048,1024 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=600,300 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=1200,600 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-2.jpg?resize=1500,750 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"49.052708030712\"><body readability=\"100.35210263721\"><\/p>\n<p>In a last-minute switch, the Cybersecurity and Infrastructure Security Agency said it will continue funding a contract for MITRE to manage the CVE program and other vulnerability databases.<\/p>\n<p>In a statement sent to CyberScoop, a spokesperson said the agency executed an option to extend the contract and avoid a potential lapse in a program that has become essential to the broader cyber community\u2019s vulnerability management.<\/p>\n<p>\u201cThe CVE Program is invaluable to the cyber community and a priority of CISA,\u201d the spokesperson said. On Tuesday night, \u201cCISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners\u2019 and stakeholders\u2019 patience.\u201d<\/p>\n<p>The spokesperson did not immediately respond to follow-up questions about the length of the extension.<\/p>\n<p>CISA\u2019s decision comes after a MITRE executive sent a <a href=\"https:\/\/bsky.app\/profile\/GossiTheDog.cyberplace.social.ap.brid.gy\/post\/3lmuokoyskqx2\">letter<\/a> this week advising the CVE board of the contract\u2019s imminent termination, warning of potentially catastrophic consequences to the cybersecurity ecosystem.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIf a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations and all manner of critical infrastructure,\u201d Yosry Barsoum, a vice president and director at MITRE, wrote Tuesday.<\/p>\n<p>Virtually everyone, from government organizations to the private sector, relies on the CVE program to keep their technology safe.<\/p>\n<p>The program acts as an international clearinghouse for the latest information on cybersecurity vulnerabilities in software and other products. CVE entries are often the starting place for vulnerability management or incident response, as defenders mine them for the latest updates on patching, affected products, indicators of compromise and other critical intelligence.<\/p>\n<p>Ferhat Dikbiyik, chief research & intelligence officer at Black Kite, said that removing MITRE \u2014 the central authority managing the CVE database \u2014 would leave only \u201cchaos\u201d for the organizations that rely on the quality of that data.<\/p>\n<p>\u201cThe CVE program isn\u2019t just a database. It\u2019s the backbone of how the cybersecurity world communicates about vulnerabilities,\u201d Dikbiyik said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Tim Peck, a senior threat researcher at Securonix, said shuttering the program without a replacement could result in the delay of vulnerability disclosures, affect coordinated disclosure timelines, inhibit notes on patching or remediation and allow attackers additional time to exploit vulnerabilities before the cyber community can respond.<\/p>\n<p>Last year, the National Institute of Standards and Technology <a href=\"https:\/\/cyberscoop.com\/plan-to-resuscitate-beleaguered-vulnerability-database-draws-criticism\/\">temporarily halted<\/a> its work enriching vulnerabilities for the National Vulnerability Database, leading to a similar outcry from cybersecurity professionals.<\/p>\n<p>The MITRE letter created a panic within the cyber community, causing different parties to plot out plans for replacing MITRE\u2019s work with a new organization.<\/p>\n<p>A new organization called the CVE Foundation <a href=\"https:\/\/www.thecvefoundation.org\/\">was launched<\/a> Wednesday as a potential successor. Kent Landfield, an officer for the organization, said the foundation was being started by \u201ca coalition of longtime, active CVE Board members\u201d who have \u201cspent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation.\u201d<\/p>\n<p>\u201cCVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,\u201d Landfield said in a statement. \u201cCybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work \u2014 from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The Computer Incident Response Center of Luxembourg is also developing its own rival. <a href=\"https:\/\/gcve.eu\/\">The Global CVE Allocation System<\/a> is an attempt to create a more decentralized system for managing vulnerabilities, one that doesn\u2019t need to rely on a central authority for management. According to an FAQ section of the website, the new identifiers created by the organization would be crafted to be backwards-compatible with existing CVE entries.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.2380952380952\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/cisa-reverses-course-extends-mitre-cve-contract-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-reverses-course-extends-mitre-cve-contract\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA reverses course, extends MITRE CVE contract | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1209,1765,4157,78,452,3303,1767,927],"tags":[668,1770,4158,86,454,3304,1772,929],"class_list":["post-7547","post","type-post","status-publish","format-standard","hentry","category-cisa","category-cve","category-cve-foundation","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-mitre","category-national-vulnerability-database","category-nist","tag-cisa","tag-cve","tag-cve-foundation","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-mitre","tag-national-vulnerability-database","tag-nist"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisa\/\" rel=\"category tag\">CISA<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve\/\" rel=\"category tag\">CVE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve-foundation\/\" rel=\"category tag\">CVE Foundation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mitre\/\" rel=\"category tag\">MITRE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-vulnerability-database\/\" rel=\"category tag\">National Vulnerability Database<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nist\/\" rel=\"category tag\">NIST<\/a>","tag_info":"NIST","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7547"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7547\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7547,"date":"2025-04-16T09:52:52","date_gmt":"2025-04-16T14:52:52","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84193"},"modified":"2025-04-16T09:52:52","modified_gmt":"2025-04-16T14:52:52","slug":"cisa-reverses-course-extends-mitre-cve-contract","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/16\/cisa-reverses-course-extends-mitre-cve-contract\/","title":{"rendered":"CISA reverses course, extends MITRE CVE contract"},"content":{"rendered":"