This is one hell of a turnaround from this news.
Earlier today, the newly established CVE Foundation announced that it aims to transition the program to a dedicated non-profit model that isn’t dependent on a single government sponsor. The Foundation’s organizers revealed they had been preparing for this possibility for the past year. Which is kind of scary if you think about it as they clearly saw this coming.
But there’s more.
Following the CVE Foundation’s announcement, the CISA has said the U.S. government is extending funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. Here’s the story via Bleeping Computer:
CISA says the U.S. government has extended MITRE’s funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
“The CVE Program is invaluable to cyber community and a priority of CISA,” the U.S. cybersecurity agency told BleepingComputer. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
BleepingComputer has learned that the extension of the contract is for 11 months.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had the following commentary:
“It is fantastic to hear that MITRE’s CVE program is being extended, although we could do with less last-minute reprieves. But I’m glad it is being funded. Now the question is — is it being funded at the same level, less, or even better? Because the program has always had a ton of deficiencies for years that the community has been hoping could be improved. That program has been existing on a shoestring budget for years, hanging on by a thread, ready to collapse in usefulness at any minute.”
“MITRE leaders have been begging for more private funding for years. This isn’t a type of program where the program leaders should be begging for funding. It should be fully funded, correctly resourced, and able to do a superb job for its mission. It’s an incredibly valuable resource and the entire cybersecurity community wants to know if it will be given the attention and funding it has always needed for the seriousness of its mission. Great to hear it’s being extended, but the devil is in the details. I hope we can all go to sleep better at night knowing that it is not only getting extended, but will actually be improved and become the service it should have always been…so that the program’s leaders can do less begging for funding and more managing and improving the program.”
While this is something, it’s not good enough. There needs to be consistent stable funding in my opinion given how important this program is as that is one of the key ways that we all stay safe from cyberthreats.
MITRE Gets Saved…. For Now
Posted in Commentary with tags MITRE on April 16, 2025 by itnerdThis is one hell of a turnaround from this news.
Earlier today, the newly established CVE Foundation announced that it aims to transition the program to a dedicated non-profit model that isn’t dependent on a single government sponsor. The Foundation’s organizers revealed they had been preparing for this possibility for the past year. Which is kind of scary if you think about it as they clearly saw this coming.
But there’s more.
Following the CVE Foundation’s announcement, the CISA has said the U.S. government is extending funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. Here’s the story via Bleeping Computer:
CISA says the U.S. government has extended MITRE’s funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
“The CVE Program is invaluable to cyber community and a priority of CISA,” the U.S. cybersecurity agency told BleepingComputer. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
BleepingComputer has learned that the extension of the contract is for 11 months.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had the following commentary:
“It is fantastic to hear that MITRE’s CVE program is being extended, although we could do with less last-minute reprieves. But I’m glad it is being funded. Now the question is — is it being funded at the same level, less, or even better? Because the program has always had a ton of deficiencies for years that the community has been hoping could be improved. That program has been existing on a shoestring budget for years, hanging on by a thread, ready to collapse in usefulness at any minute.”
“MITRE leaders have been begging for more private funding for years. This isn’t a type of program where the program leaders should be begging for funding. It should be fully funded, correctly resourced, and able to do a superb job for its mission. It’s an incredibly valuable resource and the entire cybersecurity community wants to know if it will be given the attention and funding it has always needed for the seriousness of its mission. Great to hear it’s being extended, but the devil is in the details. I hope we can all go to sleep better at night knowing that it is not only getting extended, but will actually be improved and become the service it should have always been…so that the program’s leaders can do less begging for funding and more managing and improving the program.”
While this is something, it’s not good enough. There needs to be consistent stable funding in my opinion given how important this program is as that is one of the key ways that we all stay safe from cyberthreats.
Leave a comment »