The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025. According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA’s budget, a structural change that could prevent the kind of dramatic crisis that threatened the system last year. For roughly a day in 2025, the program that underpins vulnerability management tools, threat intelligence platforms, and patch management systems worldwide appeared headed for a...