“Silly and dangerous”: CISA funding chaos threatens essential cybersecurity programs

In an 11-hour scramble before the key agreement expired on Tuesday night, the US Cybersecurity and Infrastructure Security Agency updated funding for a long-standing software explosiveness tracking project known as the Common Vulnerability and Exposure Program. Managed by the non-profit research and development group Miter, the CVE program is a global cybersecurity link pin providing critical data and services for digital defense and research.

The CVE program is administered by a board of directors that sets the agenda and prioritize MITRE to use CISA funds to implement. A CISA spokesperson said on Wednesday that its contract with MITR has been extended for 11 months. “The CVE program is invaluable to the cyber community and is a CISA priority,” they said in a statement. “Last night, CISA ran the optional term of the agreement to ensure it didn’t expire on a critical CVE service. We would like to thank our partners and stakeholders for the patience.”

“The CISA has identified progressive funds to operate the program,” Miter’s vice president and center for protecting his hometown, Yosley Bursom said in a statement Wednesday. However, with the clock being etched before the decision was announced, some members of the CVE program’s board of directors announced plans to move the project into. New nonprofit organization An entity called CVE Foundation.

“Since its founding, the CVE program has served as a US government-funded initiative, providing oversight and management under contract. This structure supports the growth of the program, but has raised years of concern among members of the CVE Committee, but also raised neutrality, globally trusted resources tied to a single government sponsor. “This concern has become urgent following a letter from MITER on April 15, 2025. The US government has notified the CVE Board that it is not intending to renew its agreement to administer the program. We hoped it wouldn’t come today, but we are prepared for this possibility.”

It’s unknown who it was from Current CVE board It partners with new initiatives other than Kent Landfield, a longtime cybersecurity industry member cited in the CVE Foundation Statement. The CVE Foundation did not immediately return a request for comment.

CISA did not respond to questions from Wired about why the fate of the CVE program agreement was at issue and whether it was linked to recent budget cuts that wiped out the federal government mandated by the Trump administration.

Researchers and cybersecurity experts were released Wednesday that the CVE program has not suddenly ceased to exist as a result of unprecedented instability in US federal funds. And many observers expressed cautionary optimism that the incident could ultimately make the CVE program more resilient.

“CVE programs are important and it’s interesting for everyone to succeed,” says Patrick Garrity, a security researcher at Vulncheck. “Almost every organization and every security tool relies on this information, and it’s not just in the US. It’s consumed worldwide. So it’s really important that it remains a service provided by the community. You need to know what to do about this.

Federal Procurement Records show Running a CVE program costs tens of millions of dollars per contract. However, in the scheme of Possible losses From a single cyberattack that leverages vulnerabilities in unearned software, experts tell Wired that operational costs appear to be negligible compared to the benefits of US defense alone.

Despite CISA’s last-minute funding, the future of the CVE program remains unknown in the long run. As one source they requested anonymity because they were federal contractors, “It’s all so stupid and dangerous.”