European Vulnerability Database Introduced in Response to US CVE Disruptions

Europe’s cybersecurity agency has officially launched a comprehensive vulnerability database initiative, aimed to aid network defenders amidst ongoing challenges in the U.S. vulnerability management sector.

The new European Vulnerability Database (EUVD), developed by the European Union Agency for Cybersecurity (ENISA), has transitioned from its beta phase in accordance with the NIS2 directive. Functioning similarly to the U.S. National Vulnerability Database (NVD), the EUVD will serve as a centralized and aggregated repository for information concerning cybersecurity vulnerabilities, their exploitation status, and recommended mitigations.

The database will collect vulnerability information from diverse sources, including Computer Security Incident Response Teams (CSIRTs), vendors, and preexisting databases such as CISA’s Known Exploited Vulnerability Catalog and MITRE’s CVE program. This data will be seamlessly integrated into the EUVD to ensure timely updates.

ENISA has identified the primary users of the EUVD as the general public, network and information system providers, private companies, researchers, and national bodies like CSIRTs. This initiative responds to widespread concerns regarding the sustainability of the CVE program, especially following a recent last-minute extension granted to the non-profit MITRE’s contract by CISA.

The EUVD offers users access to three distinct dashboards: one focused on critical vulnerabilities, another on exploited vulnerabilities, and a third dedicated to vulnerabilities coordinated by European CSIRTs. Each entry in the database is assigned an “EUVD” identifier, alongside the associated CVE ID and potential identifiers from other sources, including the Cloud Security Alliance’s Global Security Database or GitHub Advisories.

Records within the EUVD may include:

– A description of the vulnerability
– Affected IT products or services, including affected versions and severity of the vulnerability
– Information regarding available patches and mitigation guidance from CSIRTs and other relevant authorities

“The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and associated risks,” stated ENISA Executive Director Juhan Lepassaar. “The database ensures transparency for all users of affected ICT products and services and will serve as an efficient source for finding effective mitigation measures.”