Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
A new vulnerability database launched by the European Union could shake up an ecosystem long dominated by the United States. The centerpieces of that system have been the National Vulnerability Database (NVD), maintained by the U.S. National Institute of Standards and Technology (NIST), and the Common Vulnerabilities and Exposures (CVE) numbering system, maintained under cotract by U.S. corporation Mitre. Both the NVD and CVE have been plagued by problems in recent times, which has opened the door for the European offering.
Sylvain Cortes, vice president for strategy at Lyon, France-based Hackuity, said the new European Union Vulnerability Database (EUVD) being launched by the EU Agency for Cybersecurity (ENISA) is a solid initiative that can fill the gap caused by recent funding issues around Mitre's CVE program. He added that it is also uncertain whether the Mitre database will continue to exist after the company's new contract expires in 10 months’ time.
"It’s an even greater alternative when you consider the fact that the NVD has suffered backlogs in the past," Cortes said.
"Ultimately, we need a source for all vulnerabilities that is reliable and open, and we hope that the new EUVD will provide this."
—Sylvain Cortes
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, said the EUVD is "a signal" that it is a mistake to rely on a single vulnerability database.
"Europe wants a seat at the table when it comes to vulnerability coordination. For years, the world has relied almost exclusively on the CVE system. It has been working, but recent funding issues show the danger of putting all our trust in a single thread."
—Ferhat Dikbiyik
Dikbiyik said the EUVD brings resilience. "In cybersecurity, redundancy isn’t wasteful. It’s smart. It is a common practice in cybersecurity. So why not bring it to vulnerability tracking?"
Here's what your application security (AppSec) team needs know about the EUVD — and the bigger picture for the shakeup of the vulnerability database ecosystem.
[ Get White Paper: How the Rise of AI Will Impact Software Supply Chain Security ]
EUVD is not meant to stand alone
Technically, the EUVD is still in beta, Dikbiyik said, but the database's open design, use of machine-readable data, and public consultation process show it’s serious.
"The real challenge now is adoption. A new database is only as strong as the community behind it. If EUVD becomes a parallel track, aligned and interoperable with CVE, it could strengthen the global ecosystem. But if it drifts into fragmentation, it could complicate things. This is a strategic move, timely, necessary, and worth watching closely."
—Ferhat Dikbiyik
One key aspect of the EUVD is that it is not a standalone vulnerability management system. A statement by ENISA stresses that the EUVD's mission is to provide aggregated, reliable, and actionable information, such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting information and communication technology (ICT) products and services. Its objective: to ensure a high level of interconnection of publicly available information from multiple sources, such as computer security incident response reams (CSIRTs), vendors, and existing databases.
To meet that objective, the EUVD platform is adopting a holistic approach, which includes support for Vulnerability-Lookup, an open-source software application, ENISA said in its statement.
Gary Schwartz, senior vice president of NetRise, said that while the use of Vulnerability-Lookup could complement the other vulnerability databases globally by expanding visibility, the real value of the new database comes from contextualization and action. Effective risk management requires turning raw data into prioritized insights, especially with evolving regulations, he said.
"Automation and intelligent analysis are critical here. If the EUVD integrates with broader risk frameworks, it could enhance decision making, but it’s not a standalone solution. Ideally, there would be a consortium of organizations, both private and public, that would aggregate data from the many vulnerability databases that already exist."
—Gary Schwartz
To meet the requirements of the EU's Network and Information Security Directive 2 (NIS2), ENISA has initiated cooperation with various EU and international organizations, including Mitre's CVE program. In addition, CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information, such as the Known Exploited Vulnerability Catalog (KEV) from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), are automatically transferred into the EUVD.
EUVD data records will include a description of the vulnerability; ICT products or ICT services and their versions affected by the vulnerability; the severity of the vulnerability and how it could be exploited; and information on existing relevant available patches or guidance provided by competent authorities, including CSIRTs, and addressed to users on how to mitigate risks.
Vulnerability management thinks globally, acts locally
Nathaniel Jones, vice president for security and AI strategy at Darktrace, said the EUVD is a victory for the global cybersecurity community. While there will be operational issues to work out, he said, the basics of maintaining information from Mitre's CVE program and CISA’s KEV are encouraging.
"Additionally, the EU taking on CVE Numbering Authority [CNA] status will help to address historic coordination gaps. It’s also sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time."
—Nathaniel Jones
Darren Guccione, CEO of Keeper Security, called the EUVD a significant milestone in building and maturing cybersecurity defenses for Europe — and the global cybersecurity community. "Large databases like the EUVD offer enhanced transparency and shared knowledge while providing critical redundancy for existing databases," Guccione said.
"The EUVD is a great example of what large-scale collaboration can produce. ENISA has demonstrated teamwork and cooperation with CISA and Mitre — incorporating relevant data from the KEV catalog and Common Vulnerabilities and Exposures database. Together, these sources make the EUVD a powerhouse of knowledge to be consulted across the globe."
—Darren Guccione
Julian Brownlow Davies, vice president for advanced services at Bugcrowd, said that the EUVD reflects a broader trend of governments asserting digital sovereignty in cybersecurity infrastructure. "While it’s great to see Europe investing in its own vulnerability coordination, the challenge will be staying operationally relevant," Davies stressed.
"Unlike KEV or private sources, like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases. They need better signal."
—Julian Brownlow Davies
Article Link: Europe's EUVD could shake up the vulnerability database ecosystem