The U.S. government today extended a contract through which it finances the CVE Program, the cybersecurity industry’s go-to database of software vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency announced the move today. According to BleepingComputer, the contract has been extended for 11 months. The move follows warnings earlier this week that federal funding for CVE was close to running out, which raised the prospect of service disruptions.

Launched in 1999, CVE provides information about cybersecurity vulnerabilities in software products. The database has more than 170,000 entries and counting. By storing vulnerability details in one place, it removes the need for cybersecurity professionals to piece together information about an exploit from multiple sources.

Each CVE record contains a technical description of the associated vulnerability and a severity score ranging from 0 to 10. This number is calculated based on factors such as the ease with which hackers can use the flaw to launch cyberattacks. CVE’s severity scores spare cybersecurity professionals some of the work involved in understanding new cyber risks’ impact, which can speed up remediation initiatives.

The database is maintained by MITRE, a nonprofit funded by the U.S. government. The organization operates a network of federally financed research and development centers, or FFRDCs. One of those FFRDCs maintains the CVE databases, while the other centers focus on areas such as healthcare and aviation.

On Tuesday, an internal note sent by MITRE Vice President Yosry Barsoum started circling on social media. Barsoum informed the board tasked with overseeing the CVE database that funding for the project was about to expire. “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” he wrote.

Barsoum cautioned that the funding disruption would have also affected other CVE projects such as the Common Weakness Enumeration, or CWE, initiative. The latter program likewise maintains a database of cybersecurity issues. But whereas CVE tracks specific vulnerabilities, CWE provides general technical data about common vulnerability categories. 

The board that oversees the CVE database includes representatives of cybersecurity companies, research labs and other organizations. Today, a group of board members launched a nonprofit foundation to ensure CVE can continue operating even without federal funding. It’s unclear how the initiative will proceed now that the financing agreement with CISA has been renewed.

“The CVE Program is invaluable to cyber community and a priority of CISA,” the agency said in a statement. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

Image: Pixabay