The European Union’s new Global CVE Allocation System (GCVE) is officially up and running, providing an alternative for European cybersecurity professionals worried that a lack of funding for the US-run CVE program might eventually lead to its shutdown.
-
The EU has launched its own CVE-style vulnerability database to reduce reliance on the US-run MITRE system.
-
The move follows growing concerns about funding instability and backlog delays in the existing CVE program.
-
GCVE aims to speed up vulnerability tracking while remaining compatible with the global CVE ecosystem.
Launched to the public on January 7th, the initiative to develop a European-centric vulnerability advisory database has been in the works since last April – announced alongside the launch of the European Union Vulnerability Database (EUVD) last May.
The system aims to end dependence on US databases and strengthen digital sovereignty in Europe.
William Wright, CEO of Closed Door Security, says the establishment of the GCVE program is a positive step for the tech and cybersecurity industries, both in the EU and abroad.
"A sudden end of the US Government-run CVE program would cause chaos… the public and private sectors would be blind as they scrambled to find a replacement, leaving threat actors with a huge window to cause damage,” the CEO points out.
“While the CVE program will hopefully continue operation, having an alternative bolsters the resilience of cyber and tech as a whole,” Wright said.
A decentralized alternative to MITRE’s CVE system
The publicly accessible GCVE is a decentralized vulnerability tracking system launched by the Computer Incident Response Center Luxembourg (CIRCL).
What makes the allocation-focused framework unique is that it is considered a true “community-driven effort," according to the GCVE website, which states the platform aggregates and correlates vulnerability information from more than 25 public sources, including the MITRE CVE program.
“By bringing together data from decentralized publishers and existing vulnerability databases, the GCVE helps reduce fragmentation and improve visibility across the global vulnerability landscape,” it says.
Security analysts say the move also aims to reduce the risks associated with relying on only one globally relied-upon vulnerability infrastructure system.
Wright further noted the “mounting concerns” over the speed of the existing CVE program.
“There’s currently a large backlog of vulnerabilities that need to be centrally verified and recorded on the platform, and some have argued that MITRE is struggling to respond to the speed and scale of the contemporary threat landscape,” Wright says.
Wright explains that the new decentralised program is designed to be cross-compatible with CVE – “supplementing and normalizing data from multiple sources, and allowing for vulnerabilities to be documented and published by designated GCVE Numbering Authorities (GNAs), without the need for central approval.”
Hopefully, this should allow for a faster and more robust documentation process, and should enable governments and businesses to respond more quickly to serious threats," he said.
Funding fears sparked Europe’s move
Although the EUVD had been in development under the European Union Agency for Cybersecurity (ENISA) for roughly a year, one could say the timing of both databases coming into existence is no coincidence.
On April 16th, 2025, the US Department of Homeland Security waited until the very last hours to renew funding for the US-based CVE program, sparking panic among CISOs worldwide who rely on the continuously updated database to protect their organizations.
The NIST industry-standard Common Vulnerabilities and Exposures (CVE) program is a federally funded program run by the MITRE Corporation, a cybersecurity nonprofit with headquarters just outside Washington, DC, and in Massachusetts.
The CVE database identifies, defines, and catalogs publicly disclosed security vulnerabilities in a centralized location, enabling IT teams to stay informed about the most pressing threats and how to fix them.
The common numbering scheme, severity scale, and detailed descriptions allow quick communication of highly technical information across organizations and around the world.
Thus, European cybersecurity leaders, wanting to avoid any future disruptions, simply decided to create their own.
Besides making open data dumps available for bulk access and offline analysis, the EU-sponsored database has its own GCVE Numbering Authorities (GNAs), which “are empowered to allocate and publish vulnerability identifiers independently, while remaining interoperable through shared protocols and best practices.”
Compatibility concerns remain
However, while the GCVE may lessen global dependence on the US CVE program, Natalie Page, head of threat intelligence at Talion, says the EU database system “should aim to be compatible with the US CVE program, using similar language and ratings."
Its goal should be “not to confuse organisations or cause misalignment with CVE tracking,” she said.
While GCVE is not designed to replace MITRE’s CVE program outright, it provides Europe with a contingency option if future funding or even political disruptions threaten the continuity of vulnerability tracking worldwide.
“By enabling GNAs and other publishers to contribute data independently, while still benefiting from global correlation, GCVE aims to reduce single points of failure and foster innovation in vulnerability management,” the GCVE website states.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked