The European cybersecurity agency ENISA has launched the European Vulnerability Database (EUVD). This new service collects reliable information about cyber vulnerabilities in IT products and services and gives users direct access to measures to mitigate these vulnerabilities.
The EUVD consolidates information from various sources and ensures better analysis and correlation of vulnerabilities. This is an important step in the European cybersecurity strategy, especially now that the funding of MITRE’s US CVE database has recently been questioned.
Why a European vulnerability database?
The new database aims to ensure a high level of interconnection between publicly available information from various sources, including CSIRTs, suppliers, and existing databases. By working with a holistic approach, the EUVD can better analyze and correlate vulnerabilities using the open-source software Vulnerability Lookup.
This will give Europe its own reliable source of vulnerability data. This was a hot topic last month when the US MITRE CVE database almost went offline due to a loss of funding and was saved at the last minute with an 11-month extension.
Henna Virkkunen, European Commissioner for Technological Sovereignty, Security and Democracy, calls the EU Vulnerability Database an important step in strengthening Europe’s security and resilience. She emphasizes that bringing together vulnerability information relevant to the European market will raise cybersecurity standards.
How the EUVD works
The database’s information is displayed via dashboards with three different views: critical vulnerabilities, exploited vulnerabilities, and EU-coordinated vulnerabilities. The latter list contains vulnerabilities coordinated by European CSIRTs, including the members of the EU CSIRT network.
The information collected comes from open-source databases, supplemented by advice and warnings from national CSIRTs, mitigation and patching guidelines from suppliers, and markings of exploited vulnerabilities. Records in the EUVD may contain the following: a description of the vulnerability, affected IT products or services and/or affected versions, the severity of the vulnerability and how it can be exploited, and information on available patches or guidance from competent authorities.