As US vuln-tracking falters, EU enters with its own security bug database

https://www.theregister.com/2025/05/13/eu_security_bug_database/

122•voxadam•9mo ago

Comments

ta1243•9mo ago

The is from a 2022 EU directive, well before recent US government actions, it's been developed for quite some time.

OJFord•9mo ago

TFA doesn't hide or sensationalise that, makes the point that it's timely.

ta1243•8mo ago

However many people will infer causation from the timing. Half of people don't even read the full headlines any more.

Kon-Peki•9mo ago

The EU Cyber Resilience Act, which is now in effect (but not fully enforced until 2027/2028), has additional details and also includes a reporting requirement (articles 14, 15, and 16).

devrandoom•9mo ago

It's sad to see the US being dismantled from within.

Duwensatzaj•9mo ago

I’m very torn. Obviously USAID, NSF and academia in general do valuable things. But when organizations get hijacked and used as a slush fund to fund naked ideological activities and organizations barely related to the original purpose, I’m not surprised when the eventual response is to just hack and slash. I wish it was done more thoughtfully and carefully, but that doesn’t appear to be a choice. Just a choice of funding hostile NGOs and academics who endorse discrimination in education, employment, health care and even law nowadays or the current mess. It all sucks and I don’t have any solutions other than focusing on my career and family.

stavros•9mo ago

I'm out of the loop, can you give some context as to what you're talking about? What were they funding?

wvenable•9mo ago

> But when organizations get hijacked

I haven't seen any reasonable evidence on this. I'm not saying that evidence doesn't exist, it's just everything that I've heard so far as been debunked. The current administration has been shown to lie and exaggerate over and over to justify these actions so I don't know why anyone would assume they're telling the truth about this.

gadders•9mo ago

"Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative."

https://en.wikipedia.org/wiki/Washington_Monument_syndrome

j_walter•9mo ago

>>>and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.

You mean the 24 hour period where people freaked out and assumed things that weren't true? The renewal came down to the wire just like most do during negotiations...MITRE tossed the news out there to stir up concerns but it was all just sensationalized. A "funding lapse" is not the same as "contract not renewed yet"...

lesuorac•9mo ago

"This comes after the Feds decided not to renew their long-standing contract with nonprofit research hub MITRE to operate the CVE database." [1]

Doesn't seem like an untrue assumption. Feds decided not to renew the contract, people got upset, and later the feds decided to renew the contract the night it would expire [1].

This is like saying Y2K is a nothingburger because people updated the code to handle more than 2 digit years. It's because of the people getting upset that triggered a preventative measure preventing the problem. It's just the superman movie [2], if the kid just listened to clark kent then superman would've never been necessary.

[1]: https://www.theregister.com/2025/04/16/cve_program_funding_s...

[2]: https://youtu.be/-ikd_hRnVR4?t=69

j_walter•9mo ago

Review Peter Allor's comments...struggles on who pays and who should be the long term controller of this program was what led to the push right up to the last minute. As usual in government if you don't push hard enough nothing will change...and I still see nothing from CISA regarding their views on what happened...all we see is conjecture from MITRE and joy because they got their $$$.

tptacek•9mo ago

This is a weird headline, because CISA did in fact end up funding NVD.

I wish people cared less about this particular issue, though, because we'd do fine with a non-government-sponsored CVE.

daveguy•9mo ago

Well it certainly did falter (but not cease) due to incompetent leadership and guidance. We are seeing it throughout the government because the primary goal of this administration is to dismantle so that it can be reformed for their benefit.

It's more of a "break fast and move things" approach.

stogot•9mo ago

Nothing broke beyond perception. It’s still operating roughly as before right?

DrillShopper•9mo ago

Yes, but who in industry is going to expect it to be there in the future given what the current administration is doing?

tptacek•9mo ago

MITRE could just take the existing database and pass a hat around to industry and keep the current program going.

DrillShopper•9mo ago

I will defer to your expertise in that regard, but the company I work for definitely wouldn't pony up in that scenario.

tptacek•8mo ago

They won't need to. Microsoft or Google could fund it with pocket change. Much bigger projects than the NVD are open and funded by industry.

hanlonsrazor•9mo ago

Quite so. I would love to see an open sourced CVE database. It is for the public, it should be by the public.

c7b•9mo ago

What do you mean? A government service is a public service, by any conventional use of the term. Public/private is orthogonal to open source.

aerostable_slug•9mo ago

Community-maintained might be a better phrasing.

There's no particular reason a vulnerability database needs to be government-sponsored, and some compelling reasons why it shouldn't be "owned" by one government or another (one being guaranteed continuity even during seasons of change).

tedivm•9mo ago

Yeah, this was going to happen regardless of the US.

> The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.

davidw•9mo ago

If European leaders were quick on their feet and smart, they would be dialing up the "brain-draining" of the US to 11.

t-writescode•9mo ago

What would that look like? I imagine most Europeans don’t want to recreate the United Stated and its personality in their countries, for example.

And many countries already have relatively easy visa processes for skilled workers, which would be what these scientists, developers, etc are.

davidw•9mo ago

Importing a bunch of scientists wouldn't 'recreate the US'. A decent number of the scientists are probably not originally from the US anyway.

It'd involve spending money to sponsor research and clear a path for people to come over. Make it really easy.

Asraelite•9mo ago

Fast-tracked citizenship.

t-writescode•9mo ago

What does citizenship actually buy you?

If you're bringing these US Citizens into your country to get their skills, you want them working in jobs where they'll use their skills; or, you want them creating a startup where they can use those skills.

Requiring a job or getting an approved startup idea are both viable routes in the vast majority of countries in the EU, to my knowledge.

And, if memory serves, most people can get citizenship in those aforementioned countries in 5-6 years if they play correctly; and, many countries allow the US equivalent of a green card in a couple.

It's already pretty easy to move to Europe for knowledge workers.

davidw•8mo ago

Yeah I don't think actual citizenship is in the 'critical path'. You just need to make it really easy for people to move over and not be in a precarious legal situation.

ironmagma•9mo ago

The brains are not the problem in this scenario.

Havoc•9mo ago

They kinda did already

https://arstechnica.com/science/2025/05/europe-launches-prog...

Not a massive program, but shows there is intent

Tiny C Compiler

The silent death of Good Code

SectorC: A C Compiler in 512 bytes

Speed up responses with fast mode

Brookhaven Lab's RHIC concludes 25-year run with final collisions

The F Word

Software factories and the agentic moment

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

Hoot: Scheme on WebAssembly

Stories from 25 Years of Software Development

FDA intends to take action against non-FDA-approved GLP-1 drugs

First Proof

Al Lowe on model trains, funny deaths and working with Disney

Vocal Guide – belt sing without killing yourself

Show HN: A luma dependent chroma compression algorithm (image compression)

I write games in C (yes, C) (2016)

Start all of your commands with a comma (2009)

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Eigen: Building a Workspace

Show HN: Browser based state machine simulator and visualizer

The AI boom is causing shortages everywhere else

Selection rather than prediction

Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs?

Reinforcement Learning from Human Feedback

Unseen Footage of Atari Battlezone Arcade Cabinet Production

A Fresh Look at IBM 3270 Information Display System

72M Points of Interest

Where did all the starships go?

Coding agents have replaced every framework I used

France's homegrown open source online office suite