Tag: CVE

An Open Letter to ENISA

April 17, 2025 / CyberSec_Cafe / 0 Comments

Safeguarding European Vulnerability Management

Following up on yesterday’s post, today we are publishing the full text of the open letter sent to ENISA and key European cybersecurity stakeholders.
The letter addresses the urgent need for a reliable, independent European approach to vulnerability management in light of the recent MITRE announcement (see image below).

We invite the entire cybersecurity community to read, share, and support this initiative.

Open Letter Text

Subject: Open Letter to ENISA – Ensuring European Continuity and Governance for the CVE Program

To the attention of ENISA Management and to the EUVD team,

Dear ENISA Management and EUVD Team,

As representatives of various Italian CISO communities, we would like to express our sincere concern regarding the future of the CVE (Common Vulnerabilities and Exposures) program, as indicated in the recent communication from MITRE (source: https://bsky.app/profile/tib3rius.bsky.social/post/3lmulrbygoe2g).

The CVE program has long served as a cornerstone for global vulnerability identification, tracking, and coordinated response. Any disruption to this service would significantly impact European cybersecurity, affecting national vulnerability databases, tool vendors, incident response teams, and the protection of critical infrastructure, potentially reducing our collective capacity to respond effectively.

The recent announcement of the formation of the CVE Foundation (source: https://www.thecvefoundation.org/) — in response to the end of U.S. government sponsorship — represents an important moment for the global cybersecurity community. For 25 years, the CVE Program has been the pillar of vulnerability management, yet its future would benefit from broader international support.

We respectfully invite ENISA to consider assuming a European coordination role — at least temporarily — to develop a European alternative system that preserves existing CVE data while ensuring the continuity of these essential services —potentially through the integration and further development of the EUVD platform currently in beta phase. This would represent a reliable alternative, preventing future service interruptions and granting Europe independent governance over a capability of such critical importance.

We kindly ask ENISA to help safeguard the current CVE ecosystem and, drawing on the cross-disciplinary expertise of the undersigned associations, to explore possible improvements to the system for the benefit of the entire European community.

We would also recommend that ENISA establish direct contact with MITRE to explore avenues for collaboration and support, helping ensure that Europe remains an active and reliable partner in the global vulnerability management ecosystem.

As CISOs and as members of major Italian cybersecurity associations we declare our full availability to support ENISA and MITRE in any technical, operational, or advocacy capacity required.

We believe that Europe has an opportunity to take proactive steps to safeguard its digital resilience and avoid fragmentation. This aligns closely with the ongoing enhancements of cyber robustness and resilience promoted by multiple European directives and regulations.

We are ready to participate in any working groups, task forces, or initiatives that ENISA may wish to activate on this urgent matter.

This represents an important moment for European cybersecurity:

A coordinated response will strengthen our collective resilience and set a positive precedent for international cooperation.

We look forward to your response and remain at your disposal for further discussion.

Best regards,

Andrea Succi, creator of this initiative, on behalf of 45 Italian CISOs (or similar profiles) and of CISOs4AI https://cisos4ai.org/

Luca Moroni on behalf of CSA Cyber Security Angels https://cybersecurityangels.it/

Alessandro Oteri on behalf PensieroSicuro Network https://www.pensierosicuronetwork.it/

If you are interested in joining as a signatory or supporting this initiative, please let us know so we can include your name in future correspondence with ENISA.

The Future of CVE Is at Risk

April 16, 2025 / CyberSec_Cafe / 0 Comments

European Cybersecurity Must Take Action

Yesterday, MITRE released an urgent communication to the global cybersecurity community: the funding pathway for the CVE (Common Vulnerabilities and Exposures) program is set to expire today, April 16, 2025.

Without immediate intervention, the world’s most critical reference for vulnerability management could face a service disruption, with potentially devastating consequences for all digital ecosystems.

Why does this matter?

CVE is the backbone of vulnerability identification and coordination. Every security tool, advisory, and incident response process relies on it. As MITRE warns in their letter, a break in service would mean:

Deterioration of national vulnerability databases and advisories
Disruption for tool vendors and incident response teams
Increased risks for critical infrastructure across the globe

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
— MITRE, April 15, 2025

What can we do in Europe?

As a CISO and member of the Italian and European cybersecurity community, I believe this is a wake-up call.

We cannot afford to be passive spectators. The time has come for Europe to step forward and ensure the continuity of this essential service.

Our proposal:

Immediate engagement with ENISA (the European Union Agency for Cybersecurity) to coordinate a European response and ensure continuity of the CVE program, even temporarily.
Direct contact with MITRE to offer European support and collaboration.
Mobilization of the CISO community and all relevant associations to advocate for a unified, proactive approach.

I am coordinating an open letter to ENISA on behalf of the Italian CISO community, calling for urgent action and offering our collective expertise and support. If you want to be part of it let me know!

How you can help:

Share this news to raise awareness.
If you are a CISO, represent an association or organization, join our initiative.
Let’s make our voice heard: Europe must not be left vulnerable.

You can read more here and the MITRE communication here.

This is a crucial moment for our digital future.

If you want to join or support the open letter, comment below or contact me directly. Together, we can make a difference.