The worldwide cybersecurity industry, as well as the IT industry at large, has dodged a bullet with CISA announcing it is extending funding for the CVE program.

The Common Vulnerabilities and Exposures (CVE) program keeps track of critical cybersecurity vulnerabilities, giving professionals a centralized source of information. The program is a critical cybersecurity resource, making its funding a top priority.

To date, the program has been largely funded by the US government, funding that was originally going to expire on April 16. CISA provided a statement to BleepingComputer saying that funding has been extended.

“The CVE Program is invaluable to cyber community and a priority of CISA,” the US agency told the outlet. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

CVE Foundation Established ‘to Secure the Future’ of the Program

With growing concerns about the CVE program being so heavily reliant on US funding, ” a coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation.”

The foundation’s goal is to help the CVE program achieve funding independence, as well as to put to rest any concerns that the program lacks neutrality because of its US funding history.

“CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.”

Securing the CVE program is an admirable goal, especially given the critical role it plays in helping companies and organizations address vulnerabilities across countless products and industries.