The EU cybersecurity company ENISA on Tuesday introduced the official launch of the European Vulnerability Database, or EUVD. Business professionals imagine the EUVD generally is a helpful useful resource, however the company wants to make sure it stays related.
The EUVD is remitted by the NIS2 Directive, the EU baseline framework for cybersecurity danger administration and incident reporting. The database goals to supply “aggregated, dependable, and actionable info”, together with exploitation standing and mitigation measures, on vulnerabilities affecting IT, OT and IoT merchandise.
The database is accessible totally free to anybody. It consists of info sourced from distributors, incident response groups, and different vulnerability databases, akin to CISA’s Identified Exploited Vulnerabilities (KEV) catalog and MITRE’s CVE Program. It’s additionally price noting that ENISA has been a CVE Numbering Authority (CNA) since 2024 and it might probably additionally assign CVE identifiers to vulnerabilities.
SecurityWeek has reached out to a number of specialists to get their ideas on the brand new EUVD, significantly in mild of the latest points plaguing the CVE Program and the Nationwide Vulnerability Database (NVD).
“There’s a protracted historical past of vulnerability databases, so it’s not unusual to see new vulnerability and exploit database sources emerge. Within the case of ENISA, it is smart that the EU would desire a regional database—even when it’s largely redundant with the CVE Program—as a result of it permits for better management and customization tailor-made to regional stakeholders,” stated Patrick Garrity, safety researcher at vulnerability administration agency VulnCheck.
“The ENISA initiative was not supposed to switch the CVE Program; in reality, it was developed in shut coordination with it. That stated, its launch does come at a time when considerations about NIST NVD and the CVE Program’s funding disaster have been broadly voiced,” Garrity added.
VulnCheck maintains its personal KEV catalog for purchasers, and it at the moment shops information on practically 3 times extra vulnerabilities in comparison with CISA’s KEV and the EUVD, primarily based on an evaluation by SecurityWeek.
Nathaniel Jones, VP of Safety & AI Technique and Area CISO at Darktrace, described the EU Vulnerability Database as “a win for the worldwide cybersecurity group”. Commercial. Scroll to proceed studying.
“Whereas there will likely be operational kinks to work out, the fundamentals of sustaining info from MITRE’s CVE Program and CISA’s KEV are encouraging,” Jones stated. “It’s sound danger administration to keep away from single factors of failure in world vulnerability reporting and may also help scale back lags in reporting time.”
Alternatively, Julian Brownlow Davies, VP of Superior Companies at bug bounty platform Bugcrowd, identified that there are specific challenges that ENISA wants to beat to ensure that the database to remain operationally related.
“Not like KEV or personal sources like VulnDB, which provide enriched context and exploit prioritization, the EUVD will want tight integration and real-time rigor to be greater than only a parallel report. There’s a danger of fragmentation right here. Safety groups don’t want extra databases; they want higher sign,” Davies instructed SecurityWeek.
Associated: CVE and NVD – A Weak and Fractured Supply of Vulnerability Fact
Associated: White Home Proposal Slashes Half-Billion From CISA Price range
