Coordinated disclosure: Nik Kale, principal engineer and product architect at Cisco Systems, says GCVE’s main challenge comes from building a platform that the security community can rely on for coordinated disclosure and remediation.”Viability depends far more on governance than on the data itself,” Kale says. “That includes clear attribution rules, transparent CNA processes, predictable decision-making, and an explicit commitment to synchronization rather than fragmentation.”The US-run NVD system is long established so any parallel system must either federate cleanly with that existing infrastructure or provide clear operational advantages that justify switching, according to Kale.”Researchers will gravitate toward whichever system enables the fastest, most reliable coordinated disclosure,” says Kale. “Vendors, meanwhile, need confidence that vulnerability records will be handled consistently regardless of where they originate.”Representatives of the GCVE project told CSO that CIRCL has both the relevant experience, governance structures, and backing to make the database successful.”CIRCL has been operating multiple services and open-source projects for more than 15 years, with sustained financial and in-kind support from the public sector, private sector, and EU and international organisations,” they explain. “GCVE.eu implements a level of governance that enables efficient operation, rapid delivery, and, most importantly, distributed allocation of identifiers.”GCVE.eu has been fully functional and operational for several months. “We already deliver Vulnerability-Lookup as a complete open-source software and provide a reference database that facilitates the work of many organisations involved in vulnerability management,” GCVE tells CSO.
Empowering security researchers: Fabian Gasser of cybersecurity consultancy Cyway says that GCVE brings benefits in removing the single point of failure inherent in reliance on the US-led CVE system while democratising vulnerability publishing.GCVE gives “more of a voice to independent security researchers, who can now also agree or disagree with vendor-self-assessments,” according to Gasser.Daniel dos Santos, senior director and head of research at cybersecurity vendor Forescout, says that its research found a significant number of vulnerabilities without CVE IDs and even some that are exploited by threat actors. The GCVE has the potential to more quickly flag up exploited vulnerabilities.”The GCVE DB has the advantage of aggregating several sources of vulnerability information and having a decentralized system of numbering authorities,” according to dos Santos.
Redundancy: Dr. Ferhat Dikbiyik, chief research and intelligence officer at cyber risk intelligence firm Black Kite, says the launch of GCVE is welcome following the funding scares of 2025.”For years, we treated the US-led CVE system as an immutable backbone,” Dr. Dikbiyik says. “When that backbone showed signs of stress due to budget politics, the world realized that relying on a single, centralized thread for vulnerability tracking was a strategic risk.”Localized vulnerability databases are already a reality in other regions, such as China.”The Chinese platform is generally faster at indexing vendor disclosures and provides additional information compared to the US alternative,” says Martin Jartelius, AI product director at cybersecurity vendor Outpost24.For the GCVE to move from a regional project to a global standard, the focus must shift to integration with enterprise security tools, Dr. Dikbiyik argues.”A database is only as valuable as the tools that use it,” says Dr. Dikbiyik. “To make this project viable, we need to see security vendors, scanner providers, and GRC platforms treat the GCVE not as an extra feature, but as a core data source.”The GCVE is less about competition and more about ensuring continuity, so that vulnerability disclosures don’t hinge on a single point of failure, according to Crystal Morin, senior cybersecurity strategist at Sysdig.”The success of the EU [vulnerability database] will be measured by how it complements existing efforts and supports faster triage, a smaller backlog, risk prioritization, and consistent access to quality data for the security community,” Morin says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4123225/eus-answer-to-cve-solves-dependency-issue-adds-fragmentation-risks.html
