European Union public vulnerability database enters beta phase

A

Alfonso Maruccia

Posts: 1,800   +542
Staff
Forward-looking: In today's world and age, having a centralized resource for collecting and sharing information about security vulnerabilities is essential. The US administration recently signaled it doesn't have this kind of priorities anymore, so the European Union is preparing a potential alternative for keeping the technology world safe and informed.

The European Commission has launched a new vulnerability database managed by the EU Agency for Cybersecurity (ENISA). The beta version of the European Vulnerability Database (EUVD) is already live, promising a more effective approach to cybersecurity and critical information sharing for professionals and organizations across the continent.

The EUVD meets the vulnerability management requirements of the NIS2 Directive, a 2023 framework adopted by the European Parliament to improve cybersecurity in critical sectors like energy, transport, and healthcare. It also helps implement the Cyber Resilience Act, which requires stronger protections for products with digital components.

European officials have described the initiative as a move to strengthen the EU's technological sovereignty. Henna Virkkunen, the European Commission's executive vice president for Tech Sovereignty, Security, and Democracy, welcomed the EUVD as a key step toward Europe's digital security and resiliency.

"By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling public and private stakeholders to better protect our shared digital spaces with greater efficiency and autonomy," Virkkunen said.

The ENISA says this data consolidation will make it easier for organizations to identify and respond to vulnerabilities, fostering a more proactive cybersecurity environment across the continent. By centralizing and streamlining the information, the EUVD aims to reduce the time it takes to address critical security issues, ultimately enhancing the region's digital resilience.

The EUVD features three dashboards highlighting critical vulnerabilities, exploited bugs, and "EU-coordinated" flaws. The latter includes issues managed by European CSIRTs. Most data comes from open-source databases, while national CSIRTs provide additional details through advisories and alerts.

Starting September 2026, the EU will require hardware and software manufacturers to report actively exploited vulnerabilities. While Brussels authorities mention the CVE database only tangentially, the EUVD is a practical response to the Trump administration's attempts to defund critical bug tracking. Should future efforts to slash funding for cyber initiatives succeed, data from the CVE system could seamlessly migrate to the EUVD.

Permalink to story:

European Union public vulnerability database enters beta phase

 
Man that's some 90s looking design. I'm all for using <table>s for tabular data but they could at least be styled a little bit.

Good initiative though, important to have something like that around and if the US doesn't want to continue doing it then the EU should be a good alternative.
 
  • Like
Reactions: dangh and Plutoisaplanet
I'm all for a multi national group looking after this kind of database instead of relying on a single country to maintain.
 
lonetac said:
and was nearly unfunded due to the current administration. Its great there is a backup due to despots running the country.
Click to expand...
No it wasn't lol, the NVD never had its funding in question. The CVE did, and it was simply a funded a different way (not via contract). Also, what is your evidence it has anything to do with the current administration?
 
Plutoisaplanet said:
No it wasn't lol, the NVD never had its funding in question. The CVE did, and it was simply a funded a different way (not via contract). Also, what is your evidence it has anything to do with the current administration?
Click to expand...
The US funding nearly stopped and prevented the CVE database from being updated. Its good other countries recognize they cannot rely on the USA with a despot running the show.

Your question is so loaded I am thinking you are trolling. Are you not paying attention to what is happening in the USA? Have you not seen any of the cuts? Hell, even Techspot posted about it.

"The second Trump administration moved quickly to target DHS and CISA for deep cuts and reorganizations, including CISA's Cyber Safety Review Board. The most recent contract for MITRE to maintain CVE involves a potential payout of about $40 million, launched on April 26, 2024, and potentially expiring on April 25 of this year."

arstechnica.com

CVE, global source of cybersecurity info, was hours from being cut by DHS

Board members have launched a nonprofit to take over the program from MITRE.
arstechnica.com arstechnica.com
 
  • Like
Reactions: dangh
lonetac said:
The US funding nearly stopped and prevented the CVE database from being updated. Its good other countries recognize they cannot rely on the USA with a despot running the show.

Your question is so loaded I am thinking you are trolling. Are you not paying attention to what is happening in the USA? Have you not seen any of the cuts? Hell, even Techspot posted about it.

"The second Trump administration moved quickly to target DHS and CISA for deep cuts and reorganizations, including CISA's Cyber Safety Review Board. The most recent contract for MITRE to maintain CVE involves a potential payout of about $40 million, launched on April 26, 2024, and potentially expiring on April 25 of this year."

arstechnica.com

CVE, global source of cybersecurity info, was hours from being cut by DHS

Board members have launched a nonprofit to take over the program from MITRE.
arstechnica.com arstechnica.com
Click to expand...
Again, you're bringing up unrelated things. I only talked about the NVD, then you said it was almost cut which there's no evidence of. This is what I was comparing with the EUVD. In reality, the EUVD looks like a cheap copy of the NVD, offers nothing special, and is not an alternative to the CVE.

Regarding the change in the CVE's funding, you haven't shown that the current administration had to do with that. You have only shown that it was funded one way, the contract was set to expire, and the DHS decided not to renew its contract with MITRE. The DHS also commented that funding was never cut: https://www.cisa.gov/news-events/news/statement-matt-hartman-cve-program

Instead, it was funded a different way by the government (not via new contract). That's not a funding cut, stopping, nor preventing the CVE database lol. The US government alone has been ENABLING the CVE. And it's not like the government has an obligation to fund MITRE via contract indefinitely. The fact that MITRE was dependent on a single source of funding to run the CVE shows a lack of competency on their part.

The CVE even admits that the NVD is a better source of information than itself, and that the Biden administration actually cut the NVD's funding and created a massive backlog (which is more serious, isn't it?): https://www.thecvefoundation.org/improving-cve#h.zfnz5qszlxn6

CVE Foundation said:
If you ask most people at large corporations and even governments whose job involves using CVE information, in one way or another, where they get the CVE information from, the answer is almost always NVD.

Why is this? It is because for many years NVD has provided a robust API that serves up enriched CVE information for all CVEs in existence. A team of analysts that would review all public information about a CVE and assign a CVSS, CWE and create CPE values for products associated with a CVE. They would maintain the CPE library and allow searches for products for which a CVE was assigned as a vulnerability aggregator for all to freely use. As the number of CVEs created per year grew, their job has become difficult to scale.

NVD ran into funding issues late in 2023 and the job of enriching all CVE records became hopelessly unachievable. The folks closest to the CVE program noticed this right away, but unfortunately not the companies and governments that still to this day depend on NVD for this data. They are curious to understand what has happened to the quality of the CVE data. Since this time, the NVD has been working to make improvements; however, scaling continues to be a challenge.
Click to expand...

Ironically you seem to believe the EU is in the right, when they have for decades not offered something similar of their own. I guess by your logic, this means they must have had despots running the government for all this time? Have they been unreliable because they didn't prioritize cybersecurity for their citizens?
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Microsoft offers free cybersecurity tools to Europe in major initiative
Replies
2
Views
84
BuckarooBonzaii
B
Daniel Sims
The US almost let the CVE system die - the cybersecurity world's universal bug tracker
Replies
1
Views
136
GodisanAtheist
GodisanAtheist
A
Microsoft and EU set to end Teams antitrust clash on friendly terms
Replies
2
Views
191
Anton Longshot
Anton Longshot

Latest posts

Back