Can We Manage Vulnerabilities with Two Giants in the Room?

Recently, the EU officially launched its vulnerability catalog: the European Vulnerability Database (EUVD). This move has sparked a discussion about the future of global vulnerability tracking. Are we headed toward fragmentation, or is this a healthy step toward decentralization?

The cybersecurity field has faced similar crossroads before. After the Snowden disclosures, many European governments became concerned about their reliance on US-made technology in critical infrastructure. Some pushed for alternatives, including national hardware and even homegrown cryptographic algorithms, fearing the NSA had access to widely used standards. While these efforts gained attention, they ultimately failed to gain broad traction. Still, they revealed unease with centralized control in security infrastructure.

The launch of the EUVD reflects a similar sentiment. Is this an attempt to reduce political dependence on the US, or a practical response to recent instability in the NVD, such as delays and budget cuts? Likely both. It’s worth noting that the EUVD initiative began before the current US administration, but its development clearly accelerated in response to challenges facing the US-based NVD.

To understand the significance of this, it’s important to clarify how the CVE ecosystem works.

CVE Numbering Authorities (CNAs) are organizations authorized to assign CVE IDs to vulnerabilities. They are typically software vendors or regional entities who handle the early stages of vulnerability disclosure: confirming the issue, assigning a CVE, and providing a brief public description. There are over 300 CNAs globally, including MITRE, Red Hat, GitHub, Google, and now the EUVD. Their role is to decentralize the intake and registration of vulnerabilities at scale.

Once CVEs are assigned, another layer kicks in: the National Vulnerability Database (NVD), operated by NIST in the US. The NVD enriches CVE records with additional metadata like CVSS scores, CWE classifications, impact vectors, and affected platforms. This enrichment helps organizations automate risk analysis and prioritize patching. While MITRE maintains the root CVE list, the NVD has long been considered the “reference implementation” of enriched vulnerability data.

The EUVD is entering this ecosystem as both a CNA and a database that mirrors some NVD functions. It is not a rival in the traditional sense, but another node in a decentralized system. Its goal is not to replace the NVD, but to add resilience, reduce dependency, and ensure continuity, especially in light of recent delays and resourcing issues at NVD.

In fact, this ecosystem is already decentralized. Multiple CNAs exist globally, and inconsistency is nothing new. For example, the same CVE may have different CVSS scores in the NVD and in Red Hat’s security advisories.

Can two major players like the NVD and EUVD coexist? Absolutely. They can share data, align when possible, and provide redundancy to a system that has grown critical to the security of global infrastructure. While differences will continue to exist, based on risk models, regional priorities, and context, this is a feature of decentralization, not a flaw.

At the end of the day, much of cybersecurity still relies on trust, relationships, and shared values. As long as collaboration remains a priority, there’s little risk of a disruptive rupture in vulnerability management. Instead, we may see a stronger, more diverse, and globally balanced system emerge.

Get Your CVE Patching Checklist

Prioritize CVE patching to maintain a robust security posture. Use this handy checklist to help you with this critical effort.

Read Now

Read Now