New Initiative Aims to Fix Open Source Vulnerability System

- The CVE program, managed by MITRE and funded by the U.S. Department of Homeland Security, has faced significant funding uncertainty, including a near-lapse in April 2025 that required a last-minute 11-month contract extension from CISA to avoid a shutdown. - Critics argue the CVE system is a single point of failure, highlighting risks associated with its reliance on a single government sponsor for such a critical global resource. - The National Vulnerability Database (NVD), which enriches CVE data, experienced a significant backlog in early 2024, failing to process thousands of vulnerabilities, rendering automated security tools less effective. - In response to these challenges, the European Union launched its own vulnerability database, the Global CVE Allocation System (GCVE), in January 2026 to reduce reliance on the US-run system and accelerate vulnerability tracking. - The GVIP initiative aims for a decentralized model where multiple accredited entities, such as national CERTs and open-source foundations, can issue vulnerability identifiers independently to improve speed and resilience. - Beyond the main partners, the GVIP project is also supported by Open Forum Europe and the Sovereign Tech Resilience program, with the first GVIP Summit held in Brussels in January 2026. - The new system proposes separating vulnerability identification from classification, allowing identifiers to be issued quickly while analysis of severity and impact can evolve over time. - The Eclipse Foundation, one of the GVIP partners, has established an Open Regulatory Compliance Working Group to help the open-source community navigate new regulations like the E.U.'s Cyber Resilience Act.