Before the Doubts about the future of the United States Security Vulnerabilities Databasethe European Union has decided to create yours own. It is the Euvd (European Vulnerability Database, or European Vulnerabilities Database). It is already operational and available through its website and offers a platform to monitor critical safety gaps and actively exploited.
In this way, the EU avoids depending on the United States vulnerabilities base, which faces strong uncertainty about its future due to government budget cuts, delayed publications and confusion generated on the future of vulnerabilities tracking systems in the country.
The EU agency dedicated to cybersecurity, Enisa, announced the project last June 2024 and launched last month its test version, coinciding just with a period in which the uncertainty around the program of common vulnerabilities and exhibitions (CVE) of the United States increased.
Then, the United States government decided to eliminate the financing of the CVE program; which implied that it would end in April. But at the last moment, CISA, the United States Infrastructure and Cybersecurity Security Agency, was able to renew the contract with Miter so that the initiative remains in operation. This has not been an impediment for the authorities to continue cutting the financing of the CISA and other areas related to cybersecurity. In addition, not a few federal employees responsible for the US Government Security Program have resigned or have been dismissed.
In addition, this week CISA has confirmed that it will no longer publish routine notices, on its website. Not even those responsible for offering details about exploited vulnerabilities. From now on they will send them by email, through RSS feeds or in the agency’s account in X. All this makes IT teams and cybersecurity professionals have many doubts about the present and future of the CVE program. More Aúm, of the commitment of the United States authorities with the reinforcement of networks and the elimination of security vulnerabilities.
The EUVD is similar to the National Vulnerabilities Database of the US Government. Identify each bug located, both with the ID assigned by CVE and with its own identifier. They also label each with their level of criticality and the state of its exploitation. In addition, it complements this information with links to available patches and tips to prevent problems.
Unlike what happens with the NVD, which currently has delays in the publication of vulnerabilities and does not have a simple navigability, the EUVD is updated almost in real time and stands out, placing them in the upper part of the list, both the critical and exploited vulnerabilities. It also offers three control panel views: one for critical vulnerabilities, another for those in an active exploitation phase and another for those coordinated by the members of the EU CSIRT network.
The information it offers comes from Open Source databases, as well as notices and alerts issued by national CSIRTs, patch and mitigation standards published by security suppliers and details of exploited vulnerabilities.
For now, even Enisa is unaware of what will happen with the US Government CVE program, which only has a contract with Miter until next March. For now, according to those responsible, they are in contact with Miter to understand the impact of everything related to the ads on financing of the CVE Program and the next steps to be taken based on what happens in relation to him in the future.
In any case, as confirmed by the Executive Director of ENISA, Juhan Lehan Lepensar«The EU is already equipped with an essential tool designed to significantly improve the management of vulnerabilities and risks associated with them. The database ensures transparency, for all users, of all information and communications technology products and services, and is positioned as an efficient source of information to locate mitigation measures«.
