Final Opportunity to Save the US Government’s CVE Program
In what can only be described as a last-minute decision, the United States government has decided not to abandon its common vulnerability exposure (CVE) program. Instead, it has opted to renew its funding agreement with MITRE, the organization responsible for maintaining the CVE list, for a period of approximately eleven months.
This renewal comes after fears that the program might be discontinued, leading some stakeholders to consider establishing an independent foundation to oversee CVE operations. The situation has also shined a spotlight on alternative initiatives aimed at vulnerability management, notably the European Vulnerability Database (EUVD). The groundwork for such efforts was laid with the adoption of the NIS2 Directive, which is overseen by the European Agency for Cybersecurity (ENISA).
European Vulnerability Database and Its Foundations
The EUVD relies on a tool named Vulnerability-Lookup, an open-source software licensed under the AGPL v3. This platform is co-funded by the European Union and the Cybersecurity Competence Center of Luxembourg. Its core mission is to facilitate the correlation of vulnerabilities by aggregating data from diverse sources, including:
– The exploited vulnerability catalog maintained by CISA
– The vulnerability database of the Fraunhofer Institute for Communication and Information Processing
– The Cloud Security Alliance’s Global Security Database
– OpenSSF’s malicious package repository
– GitHub and PySec advisories databases
– Japan Vulnerability Notes (JVN) via the iPedia database
– MITRE’s CWE (Common Weakness Enumeration) and CAPEC (Common Attack Pattern Enumeration and Classification)
– Data feeds from organizations such as Cisco, Microsoft, Nozomi Networks, Red Hat, and Siemens
European CSIRTs as CVE Authorities
Currently, the EUVD operates in a beta version. It offers three default filtered views for vulnerabilities:
– Critical vulnerabilities (CVSS score of 9 or higher)
– Actively exploited vulnerabilities
– Vulnerabilities “coordinated by CSIRTs,” meaning those vulnerabilities that have been assigned a CVE ID by ENISA and authorized CERT teams
Five European Computer Security Incident Response Teams (CSIRTs) have been granted the authority to assign CVE identifiers. These teams are:
– INCIBE (National Cybersecurity Institute of Spain), accredited by MITRE since January 2020
– NSCS-NL (Netherlands), accredited in July 2022
– SK-CERT (Slovakia), accredited in October 2022
– NCSC-FI (Finland), accredited in June 2023
– CERT-PL (Poland), accredited in August 2023
As of January 2024, ENISA has officially become a CVE Numbering Authority (CNA) as well. ENISA states that its work with EUVD aims to “avoid duplicates and support complementarity” within the broader CVE ecosystem.
Additional Resources and Ongoing Discussions
For those interested in further insights, the following topics are worth exploring:
– The scrutiny of CISA under the Biden administration’s policies
– The latest techniques integrated into MITRE’s ATT&CK matrix
– ENISA’s guidelines for cyber risk management under NIS2
This evolving landscape underscores the importance of maintaining robust, collaborative vulnerability management systems across both the US and European cybersecurity communities, ensuring resilience and coordinated responses to emerging threats.
