The European Union Agency for Cybersecurity (ENISA) has
launched the
European Vulnerability Database (EUVD), an interconnected source of vulnerability information.
The launch of EUVD, which
compiles information from multiple sources, including MITRE’s Common Vulnerabilities and Exposures (CVE) program, IT product vendors and computer security incident response teams (CSIRTs), comes just a month after
U.S. federal funding for the CVE program came into question.“There’s also still some uncertainty around whether the MITRE database will continue to exist after the new contract expires in 10 months’ time, so having a European option in place means the industry can be less reliant on one vulnerability enrichment source,” Hackuity Vice President of Strategy Sylvain Cortes told SC Media in an email.
EUVD seeks to compliment existing sources with aggregated database
The creation of the EUVD was ordered as part of the second
Network and Information Systems Directive (NIS2) adopted by the European Parliament in 2022 to elevate cybersecurity across the European Union.
The EUVD leverages the open-source
Vulnerability-Lookup software to correlate vulnerability information from various sources and works with vendors, MITRE, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), CSIRTs, including members of the
EU CSIRTs network, and other partners to further coordinate information sharing.
“To avoid efforts duplication and to support complementarity, ENISA closely cooperates with MITRE and European as well as non-European operators of the Common Vulnerabilities and Exposures (CVE) system,” the
EUVD website states.
The EUVD site displays three dashboards: one for critical vulnerabilities (CVSS ≥ 9), one for exploited vulnerabilities and one specifically for vulnerabilities coordinated by EU CSIRTs.
Each vulnerability included in the database is assigned a unique EUVD ID number and displayed with information including CVSS base score, alternative identifiers such as CVE number, a summary of the vulnerability, a list of affected products, publication and update dates, assigner name and external advisories and mitigation information if available.
EUVD uses the Common Security Advisory Framework (CSAF), a standardized format for machine-readable advisories, making it compatible with automation for vulnerability management systems.
The EU’s role in vulnerability disclosure amid uncertainty for CVE
In addition to maintaining the EUVD, ENISA also supports vulnerability disclosure as a CVE Numbering Authority (CNA) since January 2024, enabling it to register vulnerabilities discovered by or reported to EU CSIRTs.
“While there will be operational kinks to work out, the basics of maintaining information from MITRE’s CVE Program and CISA’s KEV are encouraging. Additionally, the EU taking on CNA status will help to address historic gaps,” Nathaniel Jones, vice president of security and AI strategy and field CISO at Darktrace, told SC Media. “It’s also sound risk management to avoid single points of failure in globally vulnerability reporting and can help reduce lags in reporting time.”
While many, like Jones, see the EU database’s debut as “a win for the global cybersecurity community,” especially with uncertainty surrounding funding of the CVE program, some note the potential difficulties that multiple databases represent.
“With the emergence of the EUVD, yet another database must now be monitored and referenced. This adds complexity for organisations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage,” said Black Duck Senior Security Engineer Boris Cipot.
In addition to MITRE’s CVE program, the U.S. National Vulnerability Database (NVD), the Chinese National Vulnerability Database (CNVD), several private and commercial vulnerability database and now the EUVD, there is also the upcoming launch of
the CVE Foundation that could shift how the CVE program is funded and maintained.
The CVE Foundation, which aims to diversify funding sources for the CVE program to reduce reliance on U.S. government funding, has said it plans to work with the EUVD and others already working with the CVE program. SC Media reached out to the CVE Foundation for comment and did not receive a response.
Overall, the impact of the EUVD on vulnerability management is yet to be seen, as the global landscape continues to evolve. Bugcrowd Vice President of Advanced Services Julian Brownlow Davies told SC Media he believes the EU database’s biggest challenge will be “staying operationally relevant.”
“The EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here,” Davies said. “Security teams don’t need more databases; they need better signal.”
