{"id":6756,"date":"2026-01-29T09:30:00","date_gmt":"2026-01-29T09:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6756"},"modified":"2026-01-29T09:30:00","modified_gmt":"2026-01-29T09:30:00","slug":"eus-answer-to-cve-solves-dependency-issue-adds-fragmentation-risks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6756","title":{"rendered":"EU\u2019s answer to CVE solves dependency issue, adds fragmentation risks"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The security community has offered broad support for the <a href=\"https:\/\/www.csoonline.com\/article\/4118848\/new-eu-vulnerability-database-launched.html\">creation of an EU-hosted vulnerability database<\/a> as a means of reducing dependence on US databases.<\/p>\n<p>However, some experts have expressed concerns that the potential fragmentation of security intelligence risks impeding rapid vulnerability identification and remediation.<\/p>\n<p>The Global Cybersecurity Vulnerability Enumeration database (<a href=\"https:\/\/gcve.eu\/\">GCVE.eu<\/a>) aggregates vulnerability advisories from more than 25 public sources into a single, searchable resource. Entries are normalized, structured, and cross-referenced across identifiers (e.g., CVE IDs, GCVE IDs, vendor IDs).<\/p>\n<p>The platform is hosted by Computer Incident Response Center Luxembourg (CIRCL) in a Luxembourg-based data centre, with co-funding from the EU\u2019s Federated European Team for Threat Analysis (FETTA) project.<\/p>\n<p>The emergence of GCVE.eu follows a funding scare that <a href=\"https:\/\/www.csoonline.com\/article\/3963190\/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html\">threatened the continuation of the long-established Common Vulnerabilities and Exposures (CVE) program last year<\/a>. The CVE program \u2014 which underpins the US National Vulnerability (NVD) database \u2014 is operated by the Mitre Corp., with funding from the cyber division of the US Department of Homeland Security.<\/p>\n<h2 class=\"wp-block-heading\">Combatting flaw fragmentation: Mapping and interoperability<\/h2>\n<p>Jaya Baloo, co-founder, COO, and CISO at vulnerability remediation startup AISLE, says that GCVE must prioritize mapping and interoperability with CVE entries in order to be viable.<\/p>\n<p>\u201cWithout enforceable interoperability commitments, \u2018independent allocation\u2019 becomes a polite way of saying defenders will need to check multiple incompatible systems to know if they\u2019re vulnerable,\u201d she says.<\/p>\n<p>David Lindner, CISO at application security vendor Contrast Security, agreed that GCVE poses a risk of creating a new silo that mirrors but doesn\u2019t align with the NVD.<\/p>\n<p>\u201cFor a CISO the hard part is preventing identification collision where teams waste time triaging the same vulnerability under two different flags,\u201d says Lindner. \u201cTo avoid this confusion and make the project viable the GCVE must prioritize an automated cross-mapping standard that bridges these databases in real-time.\u201d<\/p>\n<p>Simply switching from the US-run NVD to a European GCVE fails to solve the problem of dependency but only succeeds in changing the location of the silo, according to Lindner.<\/p>\n<p>\u201cSuccess requires a federated approach where vendors and researchers contribute to a unified intelligence layer ensuring that no matter which database claims the entry the industry sees a single actionable truth rather than a fragmented mess,\u201d Lindner argues.<\/p>\n<p>Brian Blakley, CISO at Bellini Capital, warns that if GCVE offers only duplication without differentiation then it is liable to create a headache for security practitioners.<\/p>\n<p>\u201cMost security teams are already struggling with noise,\u201d Blakley notes. \u201cAny new database really needs to improve data quality, timeliness, or context and not just replicate identifiers under a different flag.\u201d<\/p>\n<p>GCVE has cross-vulnerability referencing built in, with both automated and human-curated mechanisms, an approach most experts quizzed by CSO would minimise confusion.<\/p>\n<p>Zbyn\u011bk Sopuch, CTO of data security vendor Safetica, was more upbeat arguing that GCVE is designed to be backwards compatible with CVE, so \u201cexisting data is preserved and independent entries are allowed.\u201d<\/p>\n<p>\u201cThe gray areas arise in scope, ID formats, and fragmented tracking, and there are steps that the GSVE can take to ensure that critical data is shared and received,\u201d says Sopuch.<\/p>\n<h2 class=\"wp-block-heading\">Coordinated disclosure<\/h2>\n<p>Nik Kale, principal engineer and product architect at Cisco Systems, says GCVE\u2019s main challenge comes from building a platform that the security community can rely on for coordinated disclosure and remediation.<\/p>\n<p>\u201cViability depends far more on governance than on the data itself,\u201d Kale says. \u201cThat includes clear attribution rules, transparent CNA processes, predictable decision-making, and an explicit commitment to synchronization rather than fragmentation.\u201d<\/p>\n<p>The US-run NVD system is long established so any parallel system must either federate cleanly with that existing infrastructure or provide clear operational advantages that justify switching, according to Kale.<\/p>\n<p>\u201cResearchers will gravitate toward whichever system enables the fastest, most reliable coordinated disclosure,\u201d says Kale. \u201cVendors, meanwhile, need confidence that vulnerability records will be handled consistently regardless of where they originate.\u201d<\/p>\n<p>Representatives of the GCVE project told CSO that CIRCL has both the relevant experience, <a href=\"https:\/\/gcve.eu\/process\/\">governance structures<\/a>, and backing to make the database successful.<\/p>\n<p>\u201cCIRCL has been operating multiple services and open-source projects for more than 15 years, with sustained financial and in-kind support from the public sector, private sector, and EU and international organisations,\u201d they explain. \u201cGCVE.eu implements a level of governance that enables efficient operation, rapid delivery, and, most importantly, distributed allocation of identifiers.\u201d<\/p>\n<p>GCVE.eu has been fully functional and operational for several months. \u201cWe already deliver <a href=\"https:\/\/www.vulnerability-lookup.org\/\">Vulnerability-Lookup<\/a> as a complete open-source software and provide a reference database that facilitates the work of many organisations involved in vulnerability management,\u201d GCVE tells CSO.<\/p>\n<h2 class=\"wp-block-heading\">Empowering security researchers<\/h2>\n<p>Fabian Gasser of cybersecurity consultancy Cyway says that GCVE brings benefits in removing the single point of failure inherent in reliance on the US-led CVE system while democratising vulnerability publishing.<\/p>\n<p>GCVE gives \u201cmore of a voice to independent security researchers, who can now also agree or disagree with vendor-self-assessments,\u201d according to Gasser.<\/p>\n<p>Daniel dos Santos, senior director and head of research at cybersecurity vendor Forescout, says that its <a href=\"https:\/\/www.forescout.com\/resources\/exposing-the-exploited-a-quantitative-analysis-of-vulnerabilities-under-the-radar\/\">research<\/a> found a significant number of vulnerabilities without CVE IDs and even some that are exploited by threat actors. The GCVE has the potential to more quickly flag up exploited vulnerabilities.<\/p>\n<p>\u201cThe GCVE DB has the advantage of aggregating several sources of vulnerability information and having a decentralized system of numbering authorities,\u201d according to dos Santos.<\/p>\n<h2 class=\"wp-block-heading\">Redundancy<\/h2>\n<p>Dr. Ferhat Dikbiyik, chief research and intelligence officer at cyber risk intelligence firm Black Kite, says the launch of GCVE is welcome following the funding scares of 2025.<\/p>\n<p>\u201cFor years, we treated the US-led CVE system as an immutable backbone,\u201d Dr. Dikbiyik says. \u201cWhen that backbone showed signs of stress due to budget politics, the world realized that relying on a single, centralized thread for vulnerability tracking was a strategic risk.\u201d<\/p>\n<p>Localized vulnerability databases are already a reality in other regions, such as China.<\/p>\n<p>\u201cThe Chinese platform is generally faster at indexing vendor disclosures and provides additional information compared to the US alternative,\u201d says Martin Jartelius, AI product director at cybersecurity vendor Outpost24.<\/p>\n<p>For the GCVE to move from a regional project to a global standard, the focus must shift to integration with enterprise security tools, Dr. Dikbiyik argues.<\/p>\n<p>\u201cA database is only as valuable as the tools that use it,\u201d says Dr. Dikbiyik. \u201cTo make this project viable, we need to see security vendors, scanner providers, and GRC platforms treat the GCVE not as an extra feature, but as a core data source.\u201d<\/p>\n<p>The GCVE is less about competition and more about ensuring continuity, so that vulnerability disclosures don\u2019t hinge on a single point of failure, according to Crystal Morin, senior cybersecurity strategist at Sysdig.<\/p>\n<p>\u201cThe success of the EU [vulnerability database] will be measured by how it complements existing efforts and supports faster triage, a smaller backlog, risk prioritization, and consistent access to quality data for the security community,\u201d Morin says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The security community has offered broad support for the creation of an EU-hosted vulnerability database as a means of reducing dependence on US databases. However, some experts have expressed concerns that the potential fragmentation of security intelligence risks impeding rapid vulnerability identification and remediation. The Global Cybersecurity Vulnerability Enumeration database (GCVE.eu) aggregates vulnerability advisories from [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6757,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6756"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6756"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6756\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6757"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}