New EU Vulnerability Database Will Complement Existing Sources, At Least For Now

With the CVE program famously facing funding difficulties, the EU has chosen an opportune time to roll out its new European Vulnerability Database. But, at least for the near term, the database looks to be leaning on the CVE database and other sources and acting as a complement rather than a potential replacement.

New vulnerability database backed by EU government support

Though the announcement comes just weeks after the CVE program had a brush with defunding and work stoppage, the timing appears to be mostly coincidental. The vulnerability database has been underway for some time as part of a broader grouping of initiatives meant to increase European independence.

The European Vulnerability Database will at least enjoy stable funding and the oversight of the European Union Agency for Cybersecurity (ENISA). At least one other CVE alternative has been tried, China’s CNNVD, but is widely considered of limited use as the Chinese government is thought to reserve particularly good vulnerabilities for itself and not publish them for long periods after discovery; some security researchers have noticed dates of publication being changed after the fact in an attempt to disguise this.

For now the European Vulnerability Database will likely draw heavily on the CVE program, which remains funded for a little under a year. It is unclear if US government funding will be renewed after that, but there are no indications of it as of yet. MITRE has spun the program off under the new non-profit CVE Foundation and is looking for private funding sources, and possible alternative government support, to keep it going.

Can the European Vulnerability Database ever serve as a CVE alternative?

The European Vulnerability Database will create its own identifiers for vulnerabilities, but also link them to existing CVE IDs. Aside from the CVE program, information on emerging vulnerabilities will come directly from vendors and from EU nation CSIRTs (Computer Security Incident Response Teams).

The vulnerability database is offering a unique dashboard view reserved for EU-coordinated vulnerabilities. Two other dashboard views will list critical and exploited vulnerabilities sourced from elsewhere. The near-term plan for development for the rest of 2025 is to enhance it based to some degree on stakeholder feedback. CVE data will be automatically added to the the European Vulnerability Database as it is published, and each nation will designate a computer security incident response team (CSIRT) to provide data under their Coordinated Vulnerability Disclosure (CVD) policies.

Though it’s not the magic solution to the uncertainty about the CVE system, the appearance of the European Vulnerability Database is definitely good news for the cybersecurity world. It at least has potential to address existing coordination and “speed of delivery” issues and could very well be built out in time to be more than just a CVE redundancy system. It may depend on the future of MITRE’s program and if it remains funded adequately beyond mid-2026; if CVEs still exist as the go-to information source, the security community might not have interest in another database to keep track of.