ChannelLife US - Industry insider news for technology resellers
United States
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Advanced Persistent Threat Protection
#
Cybersecurity
#
Cyber Threats

CVE system secures 11-month extension worth USD $44 million

Thu, 17th Apr 2025
Author image
By Shannon Williams, Journalist

The extension of the contract between the Cybersecurity and Infrastructure Security Agency (CISA) and MITRE to continue running the Common Vulnerabilities and Exposures (CVE) programme has been welcomed by cybersecurity experts, who stress its critical role in global cyber defence.

CISA's decision to maintain the collaboration with MITRE for another 11 months, at a value reported around USD $44 million, comes amidst mounting concerns regarding both continuity and funding for the widely used CVE system. The move is seen as necessary to prevent significant disruptions in the cyber security sector, where the CVE platform functions as a cornerstone for identifying and mitigating software vulnerabilities.

Stephen Moore, Vice President & Chief Security Strategist at Exabeam and Co-founder of the TEN18 Research Team, explained the far-reaching impact of a potential interruption. Moore remarked, "Private and public entities worldwide rely on this ongoing catalogue of vulnerability analysis as a service. If interrupted, incalculable downstream failures will occur; this underappreciated capability would affect everything from cyber defence operations to vendor security and, eventually, national security."

Moore added that "this 11-month extension of approximately USD $44 million is worth more than the amount paid; without it, only our adversaries would benefit. Longer-term discussions should be held regarding whether this capability should continue to reside with MITRE or be transferred to NIST, the FFRDC, or CISA itself." His comments highlight concerns about the long-term management and stewardship of the CVE list, a subject likely to spark further debate within government and industry policy circles.

The CVE system, established in 1999, functions as a globally recognised catalogue of publicly disclosed cybersecurity vulnerabilities and exposures. It is essential in giving security vendors, IT professionals, and organisations a common language when discussing threats, thereby enhancing cooperation and effective response strategies across borders.

Michael Lyborg, Chief Information Security Officer at Swimlane, emphasised the operational importance of a standardised vulnerability database. "Without this extension, there would be a significant impact. The CVE programme provides a standardised library and resource, giving all vendors and consumers a centralised reference and common language for enrichment, prioritisation, mitigation, and remediation," Lyborg stated. Such a repository not only streamlines communication but also accelerates the detection and patching of software flaws, he noted.

Experts caution that the five-alarm warnings around the brief risk to the CVE system are far from academic. Lorri Janssen-Anessi, Director of External Cyber Assessments at BlueVoyant, outlined the practical consequences of such instability: "Regardless of the US government providing a last-minute lifeline for the MITRE-managed CVE system, the uncertainty around its funding is a direct threat to frontline cyber defence. CVEs are the backbone of how we identify, prioritise, and patch vulnerabilities. Without a unified catalogue, defenders are left chasing fragmented data across disconnected sources, slowing triage, breaking tooling, and increasing the risk of blind spots."

She further warned, "Threat actors don't wait. They monitor CVE disclosures closely, often weaponising vulnerabilities within hours or days. Defenders are already in a race to understand the extent of usage of the vulnerable device or software and then quickly patch before exploitation. Without a centralised CVE list, we are essentially running that race without a map. Automation fails, intel loses context, and coordination between teams and partners collapses. This isn't hypothetical. Without a central system like the MITRE-managed CVE list, we risk falling behind at the exact moment adversaries accelerate. Losing that shared reference point puts every organisation at greater risk and gives attackers the upper hand."

As debate continues over the CVE platform's future custodianship, the short-term extension is seen as a much-needed reprieve, ensuring ongoing stability in cyber vulnerability management while stakeholders discuss longer-term governance and funding models.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cobalt report reveals gaps in critical vulnerability fixes
Bots surpass humans in online traffic, Thales reports
Nerdio unveils unified Microsoft 365 & AVD solution for MSPs
Identity Digital teams up with Shadowserver to fight cybercrime
Tenable names Steve Vintz & Mark Thurmond as co-CEOs
Top stories
Certinia unveils Spring '25 update with advanced AI tools
Thesys launches C1 API for AI-powered dynamic interfaces
Lasso introduces first security gateway for MCP workflows
Kiteworks reveals the top data breaches of 2024 report
Hitachi Vantara unveils VSP One with AI ransomware defence