CISA Extends MITRE Contract as Crisis Accelerates Alternative CVE Coordination Efforts

Yesterday, the CVE Program faced a spectacular meltdown, as the cybersecurity world braced for a sudden disruption to one of its most critical systems. With just hours remaining, CISA confirmed that it had extended MITRE’s contract to operate the Common Vulnerabilities and Exposures system for 11 months until March 2026. While that avoided an immediate shutdown, the lack of transparency around the renewal and the broader uncertainty it sparked have prompted renewed concern about the fragility of the CVE infrastructure.

Vulnerability researcher Patrick Garrity noted that CVEs were still being issued as of this week, and Brian Krebs emphasized that the majority of vulnerability disclosures come directly from CNAs (CVE Numbering Authorities) which could continue to assign identifiers even in the absence of MITRE. But that wouldn’t solve the broader coordination issues.

“If MITRE’s funding goes away, it causes an immediate cascading effect that will impact vulnerability management on a global scale," vulnerability historian Brian Martin commented on LinkedIn.

Without a coordinating body, CNA participation would fragment. National vulnerability databases (including the U.S. NVD) would become even less effective, and downstream systems that rely on CVE metadata would struggle to maintain consistency. Global CERTs and security vendors would be forced to adjust in real time.

Emerging Alternatives and Decentralized Efforts#

In response to the uncertainty, several efforts have emerged in parallel. A subset of CVE board members have formed a new “CVE Foundation”, though little is known about its structure or long-term goals. The announcement was published today:

In response, a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide.

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”

Others have pointed to a Global CVE initiative and renewed involvement from OWASP as signs that stakeholders are exploring alternatives, or at least preparing contingencies. The EUVD (European Vulnerability Database) also went live today, managed by ENISA, which has been authorized as a CNA for assigning CVE IDs to vulnerabilities reported within the EU.

These efforts reflect a growing interest in decentralizing CVE issuance and publication. However, coordination remains a significant challenge. With over 450 CNAs participating in the CVE program, sustaining their participation and ensuring consistent formatting and publication requires daily management. No single vendor is eager to take on this responsibility, especially when it involves enabling competitors and navigating the complexities of vulnerability management without a clear revenue model.

Security expert Adam Shostack, who helped create CVE, emphasized the distinction between the number itself and the infrastructure behind it:
“The most important part of CVE is not the unique number, but the funding and expertise to run a credible program that assigns a unique number… The value of CVE is not as a database, but as a stable way to cross-reference between databases and other tools.”

Shostack, who has been involved with CVE since its early days and has contributed extensively to vulnerability coordination efforts, added: “Assigning unique numbers in a stable way is harder than you'd expect.”

His point highlights why recent efforts to decentralize the CVE process must be evaluated not just on their ability to assign identifiers, but on their ability to maintain trust, consistency, and participation over time.

Crisis Delayed#

CISA’s confirmation of an 11-month contract extension keeps the CVE Program running, but it’s a high-stakes instance of kicking the can down the road. The core issues—governance, funding stability, and long-term coordination—remain unresolved.

Without a clear plan for what comes next, the ecosystem is left operating on borrowed time. For vendors who depend on CVE data as a stable foundation, that means continued uncertainty around how much to invest, and in what direction.

Relying on last-minute contract renewals introduces systemic risk, especially when the fallout would ripple across national defense, enterprise patch pipelines, and threat intelligence sharing worldwide.

"CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA," Shostack commented on his blog. "Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government."

Rather than addressing the structural weaknesses in how CVE is managed, this extension leaves the ecosystem in limbo. There’s no clarity on what happens after those 11 months, no new governance model in place, and no indication that MITRE, CISA, or any successor organization is rethinking the long-term model for CNA coordination, publication infrastructure, or ecosystem stewardship. Unless a more stable funding and governance model is established in the coming months, the ecosystem may be right back in crisis mode by early 2026.