The security community has offered broad support for the creation of an EU-hosted vulnerability database as a means of reducing dependence on US databases.
However, some experts have expressed concerns that the potential fragmentation of security intelligence risks impeding rapid vulnerability identification and remediation.
The Global Cybersecurity Vulnerability Enumeration database (GCVE.eu) aggregates vulnerability advisories from more than 25 public sources into a single, searchable resource. Entries are normalized, structured, and cross-referenced across identifiers (e.g., CVE IDs, GCVE IDs, vendor IDs).
The platform is hosted by Computer Incident Response Center Luxembourg (CIRCL) in a Luxembourg-based data centre, with co-funding from the EU’s Federated European Team for Threat Analysis (FETTA) project.
The emergence of GCVE.eu follows a funding scare that threatened the continuation of the long-established Common Vulnerabilities and Exposures (CVE) program last year. The CVE program — which underpins the US National Vulnerability (NVD) database — is operated by the Mitre Corp., with funding from the cyber division of the US Department of Homeland Security.
Combatting flaw fragmentation: Mapping and interoperability
Jaya Baloo, co-founder, COO, and CISO at vulnerability remediation startup AISLE, says that GCVE must prioritize mapping and interoperability with CVE entries in order to be viable.
“Without enforceable interoperability commitments, ‘independent allocation’ becomes a polite way of saying defenders will need to check multiple incompatible systems to know if they’re vulnerable,” she says.
David Lindner, CISO at application security vendor Contrast Security, agreed that GCVE poses a risk of creating a new silo that mirrors but doesn’t align with the NVD.
“For a CISO the hard part is preventing identification collision where teams waste time triaging the same vulnerability under two different flags,” says Lindner. “To avoid this confusion and make the project viable the GCVE must prioritize an automated cross-mapping standard that bridges these databases in real-time.”
Simply switching from the US-run NVD to a European GCVE fails to solve the problem of dependency but only succeeds in changing the location of the silo, according to Lindner.
“Success requires a federated approach where vendors and researchers contribute to a unified intelligence layer ensuring that no matter which database claims the entry the industry sees a single actionable truth rather than a fragmented mess,” Lindner argues.
Brian Blakley, CISO at Bellini Capital, warns that if GCVE offers only duplication without differentiation then it is liable to create a headache for security practitioners.
“Most security teams are already struggling with noise,” Blakley notes. “Any new database really needs to improve data quality, timeliness, or context and not just replicate identifiers under a different flag.”
GCVE has cross-vulnerability referencing built in, with both automated and human-curated mechanisms, an approach most experts quizzed by CSO would minimise confusion.
Zbyněk Sopuch, CTO of data security vendor Safetica, was more upbeat arguing that GCVE is designed to be backwards compatible with CVE, so “existing data is preserved and independent entries are allowed.”
“The gray areas arise in scope, ID formats, and fragmented tracking, and there are steps that the GSVE can take to ensure that critical data is shared and received,” says Sopuch.
Coordinated disclosure
Nik Kale, principal engineer and product architect at Cisco Systems, says GCVE’s main challenge comes from building a platform that the security community can rely on for coordinated disclosure and remediation.
“Viability depends far more on governance than on the data itself,” Kale says. “That includes clear attribution rules, transparent CNA processes, predictable decision-making, and an explicit commitment to synchronization rather than fragmentation.”
The US-run NVD system is long established so any parallel system must either federate cleanly with that existing infrastructure or provide clear operational advantages that justify switching, according to Kale.
“Researchers will gravitate toward whichever system enables the fastest, most reliable coordinated disclosure,” says Kale. “Vendors, meanwhile, need confidence that vulnerability records will be handled consistently regardless of where they originate.”
Representatives of the GCVE project told CSO that CIRCL has both the relevant experience, governance structures, and backing to make the database successful.
“CIRCL has been operating multiple services and open-source projects for more than 15 years, with sustained financial and in-kind support from the public sector, private sector, and EU and international organisations,” they explain. “GCVE.eu implements a level of governance that enables efficient operation, rapid delivery, and, most importantly, distributed allocation of identifiers.”
GCVE.eu has been fully functional and operational for several months. “We already deliver Vulnerability-Lookup as a complete open-source software and provide a reference database that facilitates the work of many organisations involved in vulnerability management,” GCVE tells CSO.
Empowering security researchers
Fabian Gasser of cybersecurity consultancy Cyway says that GCVE brings benefits in removing the single point of failure inherent in reliance on the US-led CVE system while democratising vulnerability publishing.
GCVE gives “more of a voice to independent security researchers, who can now also agree or disagree with vendor-self-assessments,” according to Gasser.
Daniel dos Santos, senior director and head of research at cybersecurity vendor Forescout, says that its research found a significant number of vulnerabilities without CVE IDs and even some that are exploited by threat actors. The GCVE has the potential to more quickly flag up exploited vulnerabilities.
“The GCVE DB has the advantage of aggregating several sources of vulnerability information and having a decentralized system of numbering authorities,” according to dos Santos.
Redundancy
Dr. Ferhat Dikbiyik, chief research and intelligence officer at cyber risk intelligence firm Black Kite, says the launch of GCVE is welcome following the funding scares of 2025.
“For years, we treated the US-led CVE system as an immutable backbone,” Dr. Dikbiyik says. “When that backbone showed signs of stress due to budget politics, the world realized that relying on a single, centralized thread for vulnerability tracking was a strategic risk.”
Localized vulnerability databases are already a reality in other regions, such as China.
“The Chinese platform is generally faster at indexing vendor disclosures and provides additional information compared to the US alternative,” says Martin Jartelius, AI product director at cybersecurity vendor Outpost24.
For the GCVE to move from a regional project to a global standard, the focus must shift to integration with enterprise security tools, Dr. Dikbiyik argues.
“A database is only as valuable as the tools that use it,” says Dr. Dikbiyik. “To make this project viable, we need to see security vendors, scanner providers, and GRC platforms treat the GCVE not as an extra feature, but as a core data source.”
The GCVE is less about competition and more about ensuring continuity, so that vulnerability disclosures don’t hinge on a single point of failure, according to Crystal Morin, senior cybersecurity strategist at Sysdig.
“The success of the EU [vulnerability database] will be measured by how it complements existing efforts and supports faster triage, a smaller backlog, risk prioritization, and consistent access to quality data for the security community,” Morin says.