We have moved to ENISA as its Root CNA

As a CVE Numbering Authority, we assign CVEs to vulnerabilities. Within the CVE program, every CNA operates under a Root CNA, and until now that was MITRE. From now on, it will be European Union Agency for Cybersecurity (ENISA).

Coordinated Vulnerability Disclosure is at the core of what we do, and we have some big plans for it. It’s one of the ways we make the world safer. CVD is way too important to rely on just one organisation in one country, and even though we have a good relationship with MITRE, the budget cuts and shifting priorities in the US have made that very clear. Europe needs to take responsibility for its own digital resilience. A stronger European vulnerability disclosure and information ecosystem is essential to that. So moving to ENISA felt like the right thing to do.

We believe that CVD only works when multiple organisations, across multiple countries, share responsibility. That’s why we want to contribute to the further development of a European vulnerability information ecosystem, and we’re looking forward to working with ENISA on this.

𝘍𝘠𝘐: 𝘐𝘯 2022, 𝘋𝘐𝘝𝘋 𝘣𝘦𝘤𝘢𝘮𝘦 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘪𝘯𝘥𝘦𝘱𝘦𝘯𝘥𝘦𝘯𝘵 𝘋𝘶𝘵𝘤𝘩 𝘰𝘳𝘨𝘢𝘯𝘪𝘴𝘢𝘵𝘪𝘰𝘯 𝘢𝘭𝘭𝘰𝘸𝘦𝘥 𝘵𝘰 𝘢𝘴𝘴𝘪𝘨𝘯 𝘊𝘝𝘌𝘴. 𝘞𝘦 𝘢𝘳𝘦 𝘯𝘰𝘸 𝘢𝘭𝘴𝘰 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘋𝘶𝘵𝘤𝘩 𝘰𝘳𝘨𝘢𝘯𝘪𝘴𝘢𝘵𝘪𝘰𝘯 𝘵𝘰 𝘮𝘰𝘷𝘦 𝘵𝘰 𝘌𝘕𝘐𝘚𝘈 𝘢𝘴 𝘙𝘰𝘰𝘵 𝘊𝘕𝘈.