| Re: [open-regulatory-compliance] Should ORC issue a statement encouraging ENISA to get more involved in CVE management? |
Hi Tobie and all,
ENISA has started working on CVE management with the EU Vulnerability Database https://euvd.enisa.europa.eu
Point 8 of the FAQ explains it's usefulness for both NIS2 and CRA https://euvd.enisa.europa.eu/faq
Point 1 also explains how the project leverages Vulnerability Lookup, developed in collaboration with CIRCL.
CIRCL also setup the EU Global CVE Allocation System to act as a decentralised complement/EU alternative for CVE management.
Let me know if you'd like more info or contacts for the relevant people.
Ciao
Paolo
-----Original message-----
From: Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Sent: Thursday 1st May 2025 3:03
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Tobie Langel <tobie@xxxxxxxxxxxxxx>
Subject: [open-regulatory-compliance] Should ORC issue a statement encouraging ENISA to get more involved in CVE management?
Hi all,Following the CVE database defunding (and then refunding) and our CRA Monday on the topic earlier this week, there were suggestions that ORC should issue a statement encouraging ENISA to get more involved in CVE management. My understanding is that such a statement coming from the open source community and through a European-based entity could be impactful, in particular, in light of the ongoing consultation on the Cyber Security Act and its focus on ENISA.Is there an appetite for creating such a statement? If so please let me know and I'll set something up.Best,--tobie
---
Tobie Langel
Tech Lead ORC WG, Eclipse Foundation
Principal, UnlockOpen