Another step forward towards responsible vulnerability disclosure in Europe

Back to News

The EU Agency for Cybersecurity (ENISA) expands its support to EU CSIRTs for Coordinated Vulnerability Disclosure and is now authorised as a Common Vulnerabilities and Exposures (CVE) Numbering Authority.

Based on its mandate to foster cybersecurity resilience in the EU single market, ENISA has been working more actively on developing mechanisms to encourage the use of Coordinated Vulnerability Disclosure (CVD) practices. ENISA actively promoted CVD and supported EU CSIRTs in the adoption and development of CVD policies at the national level. For this purpose, the Agency has continuously published guidelines, recommendations and analyses. Multiple EU Member States have now successfully implemented CVD policies.  

ENISA is expanding its CVD support to Member States with a new role offering a vulnerability registry service. After onboarding as a CVE Numbering Authority (CNA), the Agency is now authorised to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles.  

Hans de Vries, Chief Cybersecurity and Operating Officer (COO) at ENISA stated: “We all rely on software and services in our daily lives. However, software can have vulnerabilities that disrupt use or open doors for potential misuse. Recognising and addressing these vulnerabilities promptly is crucial to ensuring our digital security. ENISA is contributing to enhance EU CSIRTs' coordination on reported vulnerabilities and assessing their potential impact via the EU CSIRTs network. Collectively, and with ENISA now authorised as a Common Vulnerabilities and Exposures (CVE) Numbering Authority, it can be done more effectively". 

Furthermore, as per the NIS2, ENISA is developing and maintaining a European Vulnerability Database (EUVD) that enables transparent access to enriched vulnerability information provided by multiple sources, such as CSIRTs, vendors, as well as existing databases. To support organisations to achieve better efficiency in triaging and prioritising vulnerability management efforts, the EUVD introduces automation by supporting the Common Security Advisory Framework (CSAF). 

Other ongoing legislative developments will also address vulnerability disclosure, with vulnerability handling requirements already foreseen in the Cyber Resilience Act (CRA). 

Further details  

Coordinated Vulnerability Disclosure (CVD) 

CVD can be described as a vulnerability disclosure model that attempts to limit the threat of vulnerability exploitation, by ensuring vulnerabilities are disclosed to the public after the responsible parties have been granted adequate time to develop a fix, a patch, or provide mitigation measures. 

Common Vulnerabilities and Exposures (CVE) Programme   

The mission of the CVE programme is to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalogue. The vulnerabilities are discovered, then assigned and published by organisations from around the world that have partnered with the CVE Programme. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritise and address the vulnerabilities. 

CVE Numbering Authorities (CNAs) 

CNAs are organisations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. ENISA is now authorised to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles. 

Common Security Advisory Framework (CSAF) 

CSAF is a standard for machine-readable security advisories. Such standardised format for ingesting vulnerability advisory information simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will reduce the time required for enterprises to understand organisational impact and drive timely remediation. 

Further Information 

Vulnerability Disclosure — ENISA (europa.eu)  

News Item | CVE 

Developing National Vulnerabilities Programmes — ENISA (europa.eu) 

GitHub - enisaeu/CNW: Advisories, guidance, best practice documents and more issued by members of the EU CSIRTs network, a network composed of EU Member States’ appointed CSIRTs and CERT-EU. 

Contact 

For press questions and interviews, please contact press (at) enisa.europa.eu