European Vulnerability Database goes live, but who benefits?

The European Union Agency for Cybersecurity (ENISA) has unveiled the European Vulnerability Database (EUVD), an initiative under the NIS2 Directive aimed at enhancing digital security across the EU. The database serves as a centralized repository offering aggregated and actionable information on cybersecurity vulnerabilities affecting ICT products and services.

European Vulnerability Database: Features and accessibility

The EUVD is designed to ensure a high level of interconnection of publicly available information from multiple sources, including Computer Security Incident Response Teams (CSIRTs), vendors, and existing databases. It offers three distinct dashboard views:

• Critical vulnerabilities: Highlighting vulnerabilities with severe implications.
• Exploited vulnerabilities: Focusing on vulnerabilities currently being exploited.
• EU Coordinated vulnerabilities: Showcasing vulnerabilities coordinated by European CSIRTs.

Each entry in the database includes a description of the vulnerability, affected ICT products or services, severity levels, exploitation methods, and available mitigation measures or patches.

The database is accessible to the public, including suppliers of network and information systems, entities using their services, competent national authorities, private companies, and researchers.

“While this has been in the works for a while, given the chaos around MITRE’s CVE funding lately, it’s no surprise Europe is fast tracking the roll out of their own vulnerability database. It makes sense not only from a sovereignty perspective for the EU, I also think it’s a smart move to reduce reliance on a single system whose future funding and viability isn’t clear,” Joe Nicastro, Field CTO, Legit Security, told Help Net Security.

“Having had the opportunity to meet with Hans de Vries, COO for ENISA, while at RSAC this year and chat about this very topic, it sounds like the ultimate goals is for these two systems to work closely together to provide redundancy to the CVE and CWE ecosystems, as opposed to being a replacement. What I really respect is that while EUVD has it’s own proprietary nomenclature, they have mapped those to existing CVE ID’s provided by MITRE, which shows they’re thinking about practicality and interoperability, not just politics,” Nicastro concluded.

Alternative CVE databases: Redundancy or resilience?

While some have raised concerns about the need for alternatives to MITRE’s CVE database, not everyone sees it as an urgent priority.

“Is there an absolute need for an alternative to MITRE’s CVE database? No,” said Thomas Pace, CEO of NetRise. “There are currently many alternatives to MITRE’s database. Ideally, there would be a consortium of organizations that would aggregate data from the many vulnerability databases that already exist.”

Despite recent debates, the technical and political implications of launching a new CVE database may be overstated. “There is no technical significance. There wouldn’t seem to be additional political significance in adding another CVE database,” said Pace, noting that governments already differ in how they manage CVE disclosures. “For example, there are incidents in which a government has pulled CVEs from the database after reporting them.”

As for how the software community might react to a new CVE source, Pace suggested it may simply be treated as one more feed to consider. “This will simply involve incorporating another data source, whose value will be evaluated by the community.”

However, the prospect of adding more oversight or complexity could alter the current dynamics of vulnerability reporting. “What may well happen is that companies will no longer self-report,” Pace warned. “It’s like having a regulator be an information sharing and analysis center in one body. A lot of the reason companies become CNAs now is to ensure they have ownership of reporting of vulnerabilities associated with their software, and not all will report vulnerabilities they haven’t yet been able to remediate.”

ENISA’s role and future developments

Since January 2024, ENISA has been authorized as a Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA), allowing it to register vulnerabilities discovered by or reported to EU CSIRTs for coordinated disclosure.

ENISA plans to further develop the EUVD and its related services throughout 2025, incorporating feedback from stakeholders to ensure the platform evolves in line with operational needs and technological advancements.

“While navigating multiple sources for vulnerability information may create new challenges for CISOs, the new service appears to be off to a good start. Time will tell if the EU is able to manage the program as the number of CVEs that need to be analyzed and curated grows exponentially year over year. It remains to be seen how this will change in the era af vibe coding, but early signals indicate that the rate of new software issues will continue to accelerate,” says Jeff Williams, CTO of Contrast Security.