Article Details

As US vuln-tracking falters, EU enters with its own security bug database. EUVD comes into play not a moment too soon. The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems. As of Tuesday, the full-fledged version of the website is up and running. "The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD.  "The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued. The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.  Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative. More broadly, Uncle Sam has been hard at work slashing CISA and other cybersecurity funding while key federal employees responsible for the US government's secure-by-design program have jumped ship.  Plus, on Monday, CISA said it would no longer publish routine alerts - including those detailing exploited vulnerabilities - on its public website. Instead, these updates will be delivered via email, RSS feeds, and the agency's account on X. With all this, a cybersecurity professional could be forgiven for doubting the US government's commitment to hardening networks and rooting out vulnerabilities. Enter the EUVD. The EUVD is similar to the US government's National Vulnerability Database (NVD) in that it identifies each disclosed bug (with both a CVE-assigned ID and its own EUVD identifier), notes the vulnerability's criticality and exploitation status, and links to available advisories and patches. Unlike the NVD, which is still struggling with a backlog of vulnerability submissions and is not very easy to navigate, the EUVD is updated in near real-time and highlights both critical and exploited vulnerabilities at the top of the site. The EUVD provides three dashboard views: one for critical vulnerabilities, one for those actively exploited, and one for those coordinated by members of the EU CSIRTs network. Information is sourced from open-source databases as well as advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and exploited vulnerability details. ENISA is also a CVE Numbering Authority (CNA), meaning it can assign CVE identifiers and coordinate vulnerability disclosures under the CVE program. Even as an active CNA, however, ENISA seems to be in the dark about what's next for the embattled US-government-funded CVE program, which is only under contract with MITRE until next March. The launch announcement notes that "ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program."