As US vuln-tracking falters, EU enters with its own security bug database
(2025/05/13)
- Reference: 1747130409
- News link: https://www.theregister.co.uk/2025/05/13/eu_security_bug_database/
- Source link:
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems.
As of Tuesday, the [1]full-fledged version of the website is up and running.
"The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD.
[2]
"The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued.
[3]
[4]
The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' [5]Common Vulnerabilities and Exposures (CVE) program .
Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was [6]set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and [7]renewed the contract with MITRE to operate the initiative.
[8]
More broadly, Uncle Sam has been hard at work [9]slashing CISA and other [10]cybersecurity funding while key federal employees responsible for the US government's secure-by-design program have [11]jumped ship .
Plus, on Monday, CISA said it would [12]no longer publish routine alerts - including those detailing exploited vulnerabilities - on its public website. Instead, these updates will be delivered via email, RSS feeds, and the agency's account on X.
With all this, a cybersecurity professional could be forgiven for doubting the US government's commitment to hardening networks and rooting out vulnerabilities.
[13]
Enter the [14]EUVD . The EUVD is similar to the US government's [15]National Vulnerability Database (NVD) in that it identifies each disclosed bug (with both a CVE-assigned ID and its [16]own EUVD identifier ), notes the vulnerability's criticality and exploitation status, and links to available advisories and patches.
Unlike the NVD, which is still [17]struggling with a backlog of vulnerability submissions and is not very easy to navigate, the EUVD is updated in near real-time and highlights both critical and exploited vulnerabilities at the top of the site.
[18]CVE fallout: The splintering of the standard vulnerability tracking system has begun
[19]Amid CVE funding fumble, 'we were mushrooms, kept in the dark,' says board member
[20]CISA slammed for role in 'censorship industrial complex' as budget faces possible $500M cut
[21]Ex-CISA chief decries cuts as Trump demands loyalty above all else
The EUVD provides three dashboard views: one for critical vulnerabilities, one for those actively exploited, and one for those coordinated by members of the [22]EU CSIRTs network .
Information is sourced from open-source databases as well as advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and exploited vulnerability details.
ENISA is also a [23]CVE Numbering Authority (CNA) , meaning it can assign CVE identifiers and coordinate vulnerability disclosures under the CVE program. Even as an active CNA, however, ENISA seems to be in the dark about what's next for the embattled US-government-funded CVE program, which is only under contract with MITRE until next March.
The launch announcement notes that "ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program." ®
Get our [24]Tech Resources
[1] https://euvd.enisa.europa.eu/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/04/25/cve_board_funding/
[6] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[7] https://www.theregister.com/2025/04/16/cve_program_funding_save/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/06/cisa_budget_cuts/
[10] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[11] https://www.theregister.com/2025/04/22/top_cisa_officials_jump_ship/
[12] https://www.theregister.com/2025/05/12/cisa_vulnerabilities_updates_x/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://euvd.enisa.europa.eu/
[15] https://nvd.nist.gov/
[16] https://euvd.enisa.europa.eu/faq
[17] https://www.theregister.com/2025/04/14/security_in_brief/
[18] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[19] https://www.theregister.com/2025/04/25/cve_board_funding/
[20] https://www.theregister.com/2025/05/06/cisa_budget_cuts/
[21] https://www.theregister.com/2025/04/30/excisa_boss_agency_cuts/
[22] https://csirtsnetwork.eu/
[23] https://www.enisa.europa.eu/news/another-step-forward-towards-responsible-vulnerability-disclosure-in-europe
[24] https://whitepapers.theregister.com/
As of Tuesday, the [1]full-fledged version of the website is up and running.
"The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD.
[2]
"The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued.
[3]
[4]
The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' [5]Common Vulnerabilities and Exposures (CVE) program .
Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was [6]set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and [7]renewed the contract with MITRE to operate the initiative.
[8]
More broadly, Uncle Sam has been hard at work [9]slashing CISA and other [10]cybersecurity funding while key federal employees responsible for the US government's secure-by-design program have [11]jumped ship .
Plus, on Monday, CISA said it would [12]no longer publish routine alerts - including those detailing exploited vulnerabilities - on its public website. Instead, these updates will be delivered via email, RSS feeds, and the agency's account on X.
With all this, a cybersecurity professional could be forgiven for doubting the US government's commitment to hardening networks and rooting out vulnerabilities.
[13]
Enter the [14]EUVD . The EUVD is similar to the US government's [15]National Vulnerability Database (NVD) in that it identifies each disclosed bug (with both a CVE-assigned ID and its [16]own EUVD identifier ), notes the vulnerability's criticality and exploitation status, and links to available advisories and patches.
Unlike the NVD, which is still [17]struggling with a backlog of vulnerability submissions and is not very easy to navigate, the EUVD is updated in near real-time and highlights both critical and exploited vulnerabilities at the top of the site.
[18]CVE fallout: The splintering of the standard vulnerability tracking system has begun
[19]Amid CVE funding fumble, 'we were mushrooms, kept in the dark,' says board member
[20]CISA slammed for role in 'censorship industrial complex' as budget faces possible $500M cut
[21]Ex-CISA chief decries cuts as Trump demands loyalty above all else
The EUVD provides three dashboard views: one for critical vulnerabilities, one for those actively exploited, and one for those coordinated by members of the [22]EU CSIRTs network .
Information is sourced from open-source databases as well as advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and exploited vulnerability details.
ENISA is also a [23]CVE Numbering Authority (CNA) , meaning it can assign CVE identifiers and coordinate vulnerability disclosures under the CVE program. Even as an active CNA, however, ENISA seems to be in the dark about what's next for the embattled US-government-funded CVE program, which is only under contract with MITRE until next March.
The launch announcement notes that "ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program." ®
Get our [24]Tech Resources
[1] https://euvd.enisa.europa.eu/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/04/25/cve_board_funding/
[6] https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
[7] https://www.theregister.com/2025/04/16/cve_program_funding_save/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/05/06/cisa_budget_cuts/
[10] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[11] https://www.theregister.com/2025/04/22/top_cisa_officials_jump_ship/
[12] https://www.theregister.com/2025/05/12/cisa_vulnerabilities_updates_x/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCNsnFIqqNHmy7W4cil-QQAAAVM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://euvd.enisa.europa.eu/
[15] https://nvd.nist.gov/
[16] https://euvd.enisa.europa.eu/faq
[17] https://www.theregister.com/2025/04/14/security_in_brief/
[18] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[19] https://www.theregister.com/2025/04/25/cve_board_funding/
[20] https://www.theregister.com/2025/05/06/cisa_budget_cuts/
[21] https://www.theregister.com/2025/04/30/excisa_boss_agency_cuts/
[22] https://csirtsnetwork.eu/
[23] https://www.enisa.europa.eu/news/another-step-forward-towards-responsible-vulnerability-disclosure-in-europe
[24] https://whitepapers.theregister.com/
Doctor Syntax
But, of course, these things are done for the greater good and that includes the US even as it deliberately changes itself from "greater" to "lesser".
Furious Reg reader John
Perhaps the US should have been charging non-US users of US funded systems for the decades they have been using them?
nobody who matters
From where I sit, it appears that it is the US from whence the vulnerable software mostly emanates, so perhaps it is not unreasonable for others outside the US to expect to be allowed to use the US funded systems for free to help protect themselves against those vulnerabilities ;)
Soft power
Dan 55
It seems Trump charging import tariffs on soft power and it's being delivered to the EU instead.
Prediction
Philip Storry
US: Now that the EU can do it, why should we pay for this? We're being taken advantage of! Let's end this!
Rest of World: *** facepalms ***
EU: OK, fine. Someone has to do it, after all.
*** EU takes over CVE handling ***
*** Six months later ***
US: Look at all these CVEs for good, honest, American companies! The EU is bullying us by advertising these security faults!
EU: *** facepalms ***
Rest of world *** facepalms ***
Re: Prediction
Anonymous Coward
Waiting for the first US company to sue UE for disclosing some vulnerability.
Your honour, our software is perfect, this is defamation.
Re: Prediction
seven of five
Oracle, probably.
Trump announces tariffs on EU CVEs
Empire of the Pussycat
Vows to Make America Breached Again
Somehow, I'd wish EUVD charged US Federal Administration users for using their database. But that's just silly, vengeful me. In the end, I'm just glad the EU has its beta version up and running.