ENISA Stepping Its Role in Vulnerability Management: Becomes CVE Root
The European Union Agency for Cybersecurity (ENISA) is now a Common Vulnerabilities and Exposures (CVE) Program-Root, thus becoming a central point of contact within the CVE program for national/EU authorities, EU CSIRTs network members, and cooperative partners falling under ENISA’s mandate. It marks a significant step in the EU’s efforts to bolster cybersecurity resilience and streamline vulnerability coordination across member states. The move aligns with major legislative efforts such as NIS2 and the Cyber Resilience Act, while further supporting the rollout of the EU Vulnerability Database (EUVD).
The purpose of the CVE Program
The Common Vulnerabilities and Exposures Program (or CVE Program) was created in 1999 and since then, is being used worldwide. CVE provides a scheme to identify, define, and catalog publicly disclosed vulnerabilities with contextual information in order to create a standardised listing of such vulnerabilities. Vulnerabilities are assigned a CVE ID and their corresponding CVE Records are published by organisations from around the world that have partnered with the CVE Program. In this way, the information of the CVE Program will further enable organisations, developers, and cybersecurity professionals to quickly identify, discuss, share information about them, and address security flaws, thereby providing a base for improving the security of software and systems.
The role of ENISA within the CVE Program
Becoming a Root means ENISA is expanding its role in the CVE Program by taking on additional responsibilities including the identification, onboarding, and support to other CNAs within its scope. Additionally, Roots ensure that CVE Program guidelines and processes are followed and that procedures, guidelines, and standards for assigning and managing CVE IDs are further developed.
By maintaining its registry service, ENISA further supports the EU CSIRTs in their coordination work, acting as a CNA for vulnerabilities in IT products discovered by European Union Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure. ENISA will also be a central contact point for cooperative partners that fall under ENISA’s mandate.
ENISA joins the CVE Program Council of Roots
As a Root, ENISA will join the CVE Program Council of Roots, which focuses on operational coordination across the CVE Program’s Root hierarchies. At international level, CVE Program Roots include MITRE, CISA, Google, Red Hat from the US, and JPCERT/CC from Japan. Within the EU, they are: INCIBE Cert, the Thales Group and, most recently, CERT@VDE.
Sources:
