As US CVE Database Fumbles, EU ‘Replacement’ Goes Live
European Union Vulnerability Database (EUVD) launches this week. And not a moment too soon.
The EU Agency for Cybersecurity (ENISA) has brought EUVD out of beta. Born from a 2022 EU law, EUVD will work alongside MITRE’s Common Vulnerabilities and Exposures database (CVE)—the future of which is still hazy after last month’s last-minute funding reprieve.
ENISA executive director Juhan Lepassaar (pictured) is keen to get on with the job. In today’s SB Blogwatch, we take this kiss throughout the world.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: APT. Song.
Diesen Kuß der Ganzen Welt!
What’s the craic? John E. Dunn reports: New EU vulnerability database will complement CVE program, not compete with it, says ENISA
“Good timing”
From this week, the global technology industry has a new database to check for the latest software security flaws. … Made operational by … ENISA to fulfil the EU’s NIS2 cybersecurity Directive, EUVD joins a small but important group of global vulnerability tracking platforms headed by the world-famous US … CVE program.
…
EUVD flaws will be cross-referenced with a CVE identifier where one is available. … For example, a critical vulnerability affecting SAP’s NetWeaver … reported this week can be tracked as EUVD-2025-14349 or CVE-2025-42999.
…
[It’s] a case of good timing. For a few hours in April, it looked as though there was a chance that the CVE program might shut down after a quarter of a century when … DHS failed to renew the contract with the non-profit that operates it, MITRE. … The near-death experience has reminded the industry of criticisms that have been levelled at the CVE program, which operates in conjunction with the US National Vulnerability Database (NVD), run separately by NIST.
What did custom stern divide, Mirko Zorz’ enchantments bind together: European Vulnerability Database goes live
“Accessible to the public”
The EUVD is designed to ensure a high level of interconnection of publicly available information from multiple sources, including Computer Security Incident Response Teams (CSIRTs), vendors, and existing databases. It offers three distinct dashboard views:
— Critical vulnerabilities: Highlighting vulnerabilities with severe implications.
— Exploited vulnerabilities: Focusing on vulnerabilities currently being exploited.
— EU Coordinated vulnerabilities: Showcasing vulnerabilities coordinated by [EU] CSIRTs.
Each entry in the database includes a description of the vulnerability, affected ICT products or services, severity levels, exploitation methods, and available mitigation measures or patches. The database is accessible to the public.
Horse’s mouth? ENISA’s executive director, Juhan Lepassaar becomes a brother: Consult the European Vulnerability Database to enhance your digital security!
“ENISA is in contact with MITRE”
ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.
…
ENISA initiated a cooperation with different EU and international organisations including MITRE’s CVE Programme. ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program. CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information such as CISA’s Known Exploited Vulnerability Catalogue are automatically transferred into the EUVD.
ELI5? Peter Lowe explains like you’re five:
In response to nothing at all in particular, the EU have started their own vulnerability database. This is an excellent thing.
What did we achieve? SeanWrightSec is good friend of a friend to be:
While I get the desire to have this, the problem that I now worry about is that this is going to fragment vulnerabilities. So making an already difficult problem even harder.
…
Having said that, I do like the critical and exploited vulnerabilities sections, as well as the search functionality.
Lovely. Julia Clement joins us in their jubilee:
Delayed disclosures [have] long worried me. Cynical voices have suggested that the US Government run service would have an incentive to delay reporting of vulnerabilities that US Government agencies are actively exploiting. Having multiple, independent, reporting systems can only improve transparency.
Homage pays to sympathy, am I right? On high, tptacek reigneth:
CISA did in fact end up funding NVD. I wish people cared less about this particular issue, though, because we’d do fine with a non-government-sponsored CVE.
…
MITRE could just take the existing database and pass a hat around to industry and keep the current program going. … Microsoft or Google could fund it with pocket change. Much bigger projects than the NVD are open and funded by industry.
Joy is drunk by every being. This Anonymous Coward gave us both vines and kisses:
Waiting for the first US company to sue EU for disclosing some vulnerability: Your honour, our software is perfect; this is defamation.
Meanwhile, to Robert Jan were given blisses: [That’s enough Ode to Joy—Ed.]
Not only the top critical bugs are provided by Microsoft Azure, the whole project is running on Azure as well.
And Finally:
The latest episode of, “You’ve heard APT. a million times before.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: European Union Agency for Cybersecurity (ENISA)—used with permission.
