A new community-driven, European-headquartered alternative to the US-led Common Vulnerabilities and Exposures (CVE) program has been welcome by security experts.
The open source Global Cybersecurity Vulnerability Enumeration (GCVE) initiative brings together vulnerability information from over 25 public sources. These include GCVE Numbering Authorities (GNAs), which are able to allocate and publish vulnerability identifiers independently.
“By enabling GNAs and other publishers to contribute data independently, while still benefiting from global correlation, GCVE aims to reduce single points of failure and foster innovation in vulnerability management,” the GCVE said.
“The goal of db.gcve.eu is to provide the community with a single, unified, and openly accessible reference point for vulnerability intelligence, enabling defenders, researchers, CSIRTs, vendors, and open-source projects to more easily track, correlate, and analyze security advisories across ecosystems.”
The idea is to create a vulnerability identification, disclosure and publication ecosystem that is decentralized and resilient – with the db.gcve.eu platform hosted and operated by the Computer Incident Response Center Luxembourg (CIRCL).
“This ensures full control over the infrastructure, data, and operations. By combining open-source software, open data, and European-controlled infrastructure, GCVE and CIRCL contribute to strengthening digital sovereignty, strategic autonomy, and trust in vulnerability information sharing,” the GCVE added.
Concerns Over US Funding
The model stands in stark contrast to the centralized CVE program, run by American non-profit MITRE. It suffered a period of intense uncertainty last year after the Trump administration's Department of Government Efficiency (DOGE) cancelled more than $28m in MITRE contracts.
In the end, the US Cybersecurity and Infrastructure Security Agency (CISA) stepped in at the last minute to save the program, announcing an 11-month contract extension.
However, the existential crisis this provoked was too close a call for many in the cybersecurity community, leading many to look for alternatives.
Closed Door Security CEO, William Wright, welcomed the launch of the GCVE in this regard.
“The establishment of another major program prevents the shutdown of the CVE program from becoming a single point of failure,” he argued.
“The establishment of the GCVE also pre-empts the uncertainty surrounding the continued funding of the CVE program, and, should it ever be shut down, the GCVE system would provide an alternative on which cybersecurity researchers and professionals could immediately rely.”
Wright also pointed to mounting concerns about the speed and efficacy of the CVE program, and the ability of MITRE and NIST, which runs the National Vulnerability Database, to keep up with a fast-moving threat landscape.
“The new EU program is designed to be decentralized and cross-compatible with CVE, supplementing and normalizing data from multiple sources, and allowing for vulnerabilities to be documented and published by designated GNAs, without the need for central approval,” he said.
“Hopefully, this should allow for a faster and more robust documentation process, and should enable governments and businesses to respond more quickly to serious threats."
Natalie Page, head of threat intelligence at Talion, praised the launch of the GCVE in similar terms.
“By diversifying the CVE program, this means the world is no longer reliant solely on a single body for ratings and disclosures,” she said. “However, the one caveat to the program is that it should aim to not confuse organisations or cause misalignment with CVE tracking. It should aim to be compatible with the US CVE program, using similar language and ratings."
A separate European Vulnerability Database (EUVD) initiative also launched last year.
Read more on the CVE program: NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stalled