Key Takeaways
- The EU has launched a new vulnerability database, db.gcve.eu, to reduce dependence on the US-based CVE program.
- The database is administered by the Computer Incident Response Centre Luxembourg and provides a decentralized European alternative to the existing CVE program.
- The new platform brings together information from public resources and allows for autonomous assignment and publication of vulnerability identifiers.
- Experts have been positive about the new program, citing its potential to support organizations with their understanding of CVEs and reduce global dependence on the US CVE program.
- The program’s decentralized approach and open API make it possible to integrate into existing compliance tools and risk management systems.
Introduction to the New Vulnerability Database
A new vulnerability database has been launched in the EU, in a bid to reduce dependence on the US-based CVE program. The database, db.gcve.eu, has been created by the Global Cybersecurity Vulnerability Enumeration and is administered by the Computer Incident Response Centre Luxembourg. This government-driven initiative is designed to gather, review, report, and respond to computer security threats and incidents. The GCVE program is intended to provide the tech and cybersecurity industries with a decentralized European alternative to the existing US-based CVE program.
Background and Motivation
The launch of the new database comes after funding for the US CVE program was pulled and then reinstated in an eleventh-hour decision in April 2025. While the US program is still running, the incident led to discussions around the challenges of relying on a single database. The new platform brings together information from public resources, including the sources of the GCVE Numbering Authority model, according to a report on CSOOnline. This model replaces the traditional assignment of vulnerability identifiers (CVE IDs) and allows for autonomous assignment and publication of vulnerability identifiers without having to wait for central approval.
Benefits of the New Database
The new database’s decentralized approach makes it possible to assign and publish vulnerability identifiers autonomously, without having to wait for central approval. This approach also makes it possible to integrate into existing compliance tools and risk management systems through an open API. The benefits of the new database are numerous, including reducing global dependence on the US CVE program and providing a more resilient and decentralized system for tracking and disclosing vulnerabilities. The new database also provides a more autonomous and flexible system for assigning and publishing vulnerability identifiers, which can help to improve the overall efficiency and effectiveness of vulnerability management.
Expert Opinions
Experts have been largely positive about the new vulnerability program. Natalie Page, head of threat intelligence at Talion, says that the new program is a good initiative that will support organizations with their understanding of CVEs. She also points out that the program will lessen global dependence on the US CVE program, which is a positive step for the tech and cybersecurity industries. However, Page also notes that the program should aim to be compatible with the US CVE program, using similar language and ratings, to avoid confusing organizations or causing misalignment with CVE tracking. William Wright, CEO of Closed Door Security, also welcomes the establishment of the GCVE program, saying that it represents a positive step for the tech and cybersecurity industries, both in the EU and abroad.
Implications and Future Directions
The launch of the new database has significant implications for the tech and cybersecurity industries. It provides a more resilient and decentralized system for tracking and disclosing vulnerabilities, which can help to improve the overall efficiency and effectiveness of vulnerability management. The new database also provides a more autonomous and flexible system for assigning and publishing vulnerability identifiers, which can help to reduce the risk of a single point of failure. As Wright points out, the launch of another major vulnerability database prevents the shutdown of the CVE program from becoming a single point of failure, and provides an alternative on which cybersecurity researchers and professionals could immediately rely. Overall, the new database is a positive step towards improving the resilience and effectiveness of vulnerability management, and provides a more decentralized and autonomous system for tracking and disclosing vulnerabilities.
