At the last minute, the United States Cybersecurity and Infrastructure Security Agency (CISA), extended MITRE's contract for maintaining the Common Vulnerabilities and Exposures (CVEs) Program.

The CVE Program (Common Vulnerabilities and Exposures) is a public catalog of known cybersecurity vulnerabilities. Each vulnerability gets a unique ID (like CVE-2024-12345) so that researchers, vendors, and defenders are all referring to the same issue in a standardized way.

Cyberkach had recently reported the impending end of MITRE's contract to manage the CVE Program. However, a late statement from a CISA spokesperson revealed that the contract had been extended by 11 months: “The CVE Program is invaluable to the cyber community and a priority of CISA,” they said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

Also, according to a statement by Cybersecurity Researcher, Kevin Beaumont, "It’s unclear how long it has been extended for. MITRE has still lost its contract for other things and plans to shed around 500 staff, so the whole thing feels like borrowed time.

This extension will offer funding to MITRE's CVE program until March 2026.