CISA Extends Critical CVE Program Contract at Last Minute

Cybersecurity Update: April 16, 2025

🚨 BREAKING: CVE Program Gets Last-Minute Lifeline

The TL;DR: CISA just executed an 11-month extension for the MITRE-backed CVE Program. Crisis averted... for now. Read more

Today’s newsletter is sponsored by Superhuman AI

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

• Get daily AI news, tools, and tutorials

• Learn new AI skills you can use at work in 3 mins a day

• Become 10X more productive

Sign up and start mastering AI

Why it matters:

• CVE = the backbone of vulnerability management since 1999

• 275,000+ vulnerabilities cataloged to date

• Powers everything from your patch management to CISA's alerts

• Without it? Pure chaos for security teams worldwide

The drama:

• MITRE dropped a bombshell memo warning of "deterioration of national vulnerability databases" if funding lapsed

• Some board members were already planning a breakaway "CVE Foundation"

• All this amid CISA budget scrutiny and contract cuts

• Full story on the funding crisis

What it means for you:

• Your vulnerability scanners will keep working (phew!)

• CVE IDs remain the industry standard (for now)

• But keep an eye on this space – the 11-month clock is ticking

The bottom line: We dodged a cybersecurity bullet here, folks. This program is too critical to fail, but its future governance remains uncertain.

One thing to watch: DHS leadership's push for a "smaller, more nimble" CISA could impact other security programs we rely on.

Stay frosty,

Stetson Blake