Experts welcome EU-led alternative to MITRE's vulnerability tracking scheme

Cybersecurity experts have welcomed the launch of the new Global CVE Allocation System (GCVE) as a positive move toward more robust vulnerability disclosure.

The EU-led system aims to offer a “decentralized approach” to vulnerability identification and reduce dependence on US-based reporting systems, in particular the MITRE Corporation’s Common Vulnerabilities and Exposures (CVEs) database.

Freely accessible, the GCVE will draw upon common vulnerability data from more than 25 public sources and hosted by the Computer Incident Response Center Luxembourg (CIRCL).

The platform itself will be powered by vulnerability-lookup, an open source initiative which allows security practitioners to track software vulnerabilities.

“This ensures that data collection, synchronization, and publication follow open, transparent, and reproducible processes,” the GCVE said.

“Vulnerability-lookup is designed to support decentralized vulnerability publishing while enabling efficient aggregation and correlation, a core principle of the GCVE model.”

What to expect from the GCVE system

According to official materials, the intention is to “improve flexibility, scalability, and autonomy for participating entities”.

Notably, the new setup will remain compatible with the traditional CVE reporting system but with a distinct caveat: the GCVE scheme will introduce GCVE Numbering Authorities (GNAs).

These are “independent entities” that can allocate identifiers without the reliance on a centralized distribution system – a common criticism of the traditional framework.

Sylvain Cortes, VP strategy at Hackuity, said the launch of the GCVE scheme is a “positive development” for the cybersecurity community, particularly as the US-based CVE system faces an uncertain future.

The security industry was plunged into chaos last year amidst reports that funding for the MITRE CVE database was set to lapse.

While CISA stepped in with a last minute reprieve for the scheme, the incident raised concerns about the stability of future vulnerability reporting on both sides of the Atlantic.

Cortes said the debacle “exposed the fragility of the systems underpinning global vulnerability management”, adding that a new decentralized setup is a welcomed addition.

“By decentralizing vulnerability reporting and making it API friendly, GCVE reduces that single point of failure, and enables organizations to have access to timely, standardized vulnerability data,” he said.

“It’s not about replacing CVE, it’s about strengthening global resilience. Having a European alternative provides cybersecurity professionals with a further trusted source of information.”

Nigel Douglas, head of developer relations at Cloudsmith, echoed Cortes’ comments, adding that the GCVE will ensure security practitioners in Europe aren’t solely reliant on the MITRE system.

“We rely on security advisories and vulnerability databases to keep us safe, so removing any single point of failure is a smart, forward-thinking idea,” he said.

“I’m a huge fan of the fact that it’s decentralized and interoperable with the existing CVE ecosystem. Multiple authorities can publish and maintain vulnerability data, while still mapping it back to CVE identifiers that teams already use on a daily basis,” Douglas added.

“This gives the industry options, rather than forcing them to make a choice.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.