“Stupid and Dangerous”: CISA budget chaos threaten the essential cyber security program
At an eleventh hour before the key contract expired on Tuesday night, the US Cyber Security and Infrastructure Agency extended its budget for a long -term software tracking project known as vulnerability program and joint exposure. The CVE program, managed by the Miter Nonprofit Research and Development Group, is a group of global cyber security-providing important data and services for digital defense and research.
The CVE program is run by the Board of Directors, which determines the agenda and priorities for the Miter to use the CISA budget. A CISA spokesman said on Wednesday that the contract with Mitter is being extended for 11 months. They said in a statement: “The CVE program is very valuable for the cyber community and the CISA priority.” “Last night, CISA executed the option for the contract to ensure that there will be no important CVE services. We appreciate our partners’ patience and stakeholders.”
“The CISA identified an increasing budget for implementing programs,” said Vice President and Director of the Homeland Security Center, Youseari Barcem on Wednesday. With the decline in the decision, some members of the Board of Directors announced a program to transfer the project to a new nonprofit entity called the CVE Foundation.
“Since its inception, the CVE program has been contracting as a US government budget initiative, with the supervision and management submitted. While the structure has supported the program’s growth, it has raised long concerns among CV board members about the sustainability and neutralization of a world -class source that is tied to a single government sponsor.” “This concern has been urgent after April 15, 2025, a letter from Miter to the CV board that the US government did not intend to extend its contract to manage the program. While we hoped this day would come, we were ready for this possibility.”
It is unclear who from the current CVE board of directors is affiliated with a new initiative other than Kent Landfield, a member of the longtime cyber security industry quoted in the CVE Foundation statement. The CVE Foundation immediately did not return the request.
The CISA did not answer the Wired questions why the fate of the CVE program was questioned and whether it was about reducing the recent funding that has carried out the federal government as a mandatory Trump administration.
Researchers and cyber security experts were relieved on Wednesday that the CVE program has not stopped suddenly due to unprecedented instability in the US federal budget. And many observers have expressed optimism that the incident could ultimately resist the CVE program if it is transferred to an independent entity that does not rely on any other government or source.
“The CRE program is very important and it is in the interest of everyone to succeed,” says Patrick Gariti, a security researcher at Vulnecheck. “Almost every organization and any security tool depends on this information, and it is not just the United States. It is consumed worldwide. So it is really important to be a service provided to the community and we need to understand what to do, because losing it will be dangerous for everyone.”
Federal preparation records show that it costs tens of millions of dollars per contract for the CVE program. But in the scheme of losses that could take place from a single cyber attack by exploiting unused software vulnerabilities, Wired, the operational costs against the benefits of US defense are only insignificant.
Despite the CISA’s last budget, the future of the CVE program is still unclear for the long term. As a source, who asked for anonymity because they are a federal contractor, say “all this is all stupid and dangerous.”
