After the impending CVE blackout: EU vulnerability database goes live

Under the impression of an impending CVE shutdown, various initiatives and organizations tried to launch alternatives in the morning hours of 16 April. CVE stands for Common Vulnerabilities and Exposures and is used internationally to document security vulnerabilities.

The range of efforts is quite impressive: while some want to focus more on the organizational transfer of the CVE system into a foundation, EU cybersecurity authority ENISA quickly put its alternative solution, which was announced last year, online.

Back in June 2024, ENISA (European Network and Information Security Agency) announced that it was working on its own vulnerability database called the European Vulnerability Database in accordance with the NIS2 Directive. At the beginning of April, the database was surprisingly online – but only for a few hours. When asked by heise security, an ENISA spokesperson replied at the time that it was a functional test during development. Following MITRE's announcement of a possible shutdown, the decision was apparently made in Athens to put their money where their mouth was and seize the opportunity.

CISA: contract extension after all?

Meanwhile, US cybersecurity authority CISA has apparently exercised an option and extended the expiring contract at the last minute. At least that's what Metacurity reports on Mastodon, citing unnamed spokespeople at MITRE and CISA. Those responsible are simply waiting for the signature; there will soon be "good news".

MITRE in the US state of Virginia will see over 400 layoffs in June due to DOGE-related cutbacks, local news portal Virginia Business reported. 442 people are expected to lose their jobs by summer after various US government agencies have terminated their contracts with MITRE, the report added.

GCVE and CVE Foundation want to change the system

CIRCL (Computer Incident Response Center Luxembourg, the small state's government computer emergency response team) also apparently saw an opportunity to publicize its own CVE project: GCVE, the "Global CVE Allocation System", is intended to achieve a decentralized allocation of vulnerability identifiers, in contrast to the US and MITRE-centric current approach, while remaining CVE-compatible. The key point is an extension of the CVE ID, which currently consists of a year and sequence number, to include an identifier for the issuing authority, called CNA (CVE Numbering Authority) in CVE-Lingo. A GCVE ID therefore looks something like this: GCVE-12-2024-12345, allowing each CNA to use its own sequence numbers without having to coordinate with all the other issuing authorities.

A trick is also used to assign a CVE to the GCVE: The CNA number 0 is reserved for traditional CVE IDs, so CVE-2024-12345 becomes the GCVE ID GCVE-0-2024-12345. This does not work in the opposite direction because the CNA coding is lost. As the initiator, CIRCL has given itself the CNA ID 1.

A "CVE Foundation" has also issued a statement. On the domain "thecvefoundation.org", registered on April 15, the unknown authors write that they are part of a "coalition of long-time active members of the CVE Board" who have spent the past year planning the transition of the CVE system to a separate, non-commercial foundation. In the coming days, the authors added, they plan to release more information about the structure, planning and ways for the community to get involved.

heise security contacted the CVE Foundation in the early afternoon of April 16 and asked for a statement including identification of the project participants – as soon as we receive a response, we will update this post. Whether the initiatives to modernize and decentralize the CVE system will actually be implemented is currently completely open.

(cku)