I submitted a Freedom of Information Act (FOIA) request to the Department of Homeland Security (DHS) on February 8, 2005, asking for funding information for the Common Vulnerability Enumeration (CVE) program run by MITRE. I eventually received a lengthy document that had the information I had requested, and a lot more.
My FOIA request:
I received a 673 page document as a reply, dated January 17, 2006. The funding information I had requested began on page 200. This is part of Contract Number W15P7T-04-C-D199 (Project Number 0705H300), formerly Contract Number J-FBI-02-093//D010. Here are the relevant bits:
We can see the billing period for this was October 1, 2003 to May 2, 2004. In that half year, MITRE billed DHS $1,489,569.96 for labor and a significant, yet vague, “overhead”, as well as $157,119.54 for other direct costs. That means that in half a year MITRE billed $1,646,689.50 to run CVE, OVAL, and Patch Authentication and Dissemination Capability (PADC), as all three were covered under the contract. That’s roughly $3.2 million to run them annually. Yet, the total contract cost and funded amount was $4,720,532.00. So somewhere between $3.2 and $4.7 million for those programs.
This gets more convoluted going through many other invoices and billing, some with poor reproduction quality. The following seems to show that MITRE used almost all of the funding as of January 30, 2005:
Another section of a billing period report shows questionably high spending in a few key areas:
The full PDF of the reply: https://jericho.blog/wp-content/uploads/2026/01/2006-01-17-FOIA-Common-Vulnerabilities-and-Exposures-Project.pdf
A .ZIP with extracted financial figures: https://jericho.blog/wp-content/uploads/2026/01/2005-FOIA-CVE-images.zip
Leave a Reply