The MITRE Corporation’s Common Vulnerabilities and Exposures (CVEs) database has been handed a last minute reprieve amid concerns over funding.
Maintained by the MITRE Corporation since 1999, the future of the database was thrown into doubt yesterday as the contract between the two was set to lapse.
The news prompted widespread criticism from cybersecurity professionals, with many warning the expiration of the database would heighten security risks and impact information sharing for enterprises globally.
In an email exchange with ITPro, the Cybersecurity and Infrastructure Security Agency (CISA) originally confirmed that the contract with the MITRE Corporation was due to expire.
However, in an updated statement, the agency revealed it intends to maintain the database in a bid to prevent a lapse in CVE services.
“The CVE Program is invaluable to the cyber community and a priority of CISA,” a spokesperson said.
“Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
What is the Common Vulnerabilities and Exposures database?
The CVE database is a cornerstone of the international cyber community, bringing together trusted partners to share threat data.
Each security vulnerability within the database is designated a unique CVE ID, giving cybersecurity teams a standardized way to identify, catalog, and shore up defenses against threats to their organizations.
Graeme Stewart, head of public sector at Check Point Software, told ITPro that CVEs are essential for measuring the quality of cybersecurity defenses deployed by organizations.
“It allows practitioners to make a non-partisan assessment of their environment, based upon the needs for patching and remediation,” he said.
“The lower the number of CVEs, the less time spent patching because a system is less vulnerable. It’s an invaluable tool, and private and public sector should be coming together to make sure this valuable work continues.”
Security professionals left confused and frustrated
Before news of the reprieve emerged, security professionals voiced serious concerns about the potential funding lapse.
John Hammond, principal security researcher at Huntress, told ITPro he was “extremely frustrated” at the decision.
“It’s like the cybersecurity industry’s common language has been thrown out the window, we just lost the ground that we stand on. This is going to hurt, not help.”
Jen Easterly, former director at CISA, described the CVE system as “one of the most important pillars of modern cybersecurity” in a post on LinkedIn.
“Losing it would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.”
Easterly added that this could’ve increased the risk of breaches and ransomware for businesses, drive up security and compliance costs, and erode customer trust.
A huge number of organizations, from the largest names in tech to small cybersecurity teams worried about zero-day exploits, rely on CVEs to prioritize their vulnerability management techniques.
