For this reason, the security community is currently considering 'alternatives or supplements to CVE.' New systems are being created to address vulnerabilities by entities such as Europe (EUVD), China (CNNVD), and private companies.

1. Europe (EU) EUVD

“We will not be entirely dependent on a U.S.-centric system. Europe will assess with European perspectives.”

ENISA, the European Union's cybersecurity agency, launched the EUVD (European Vulnerability Database). ENISA announced that EUVD, which was in beta, would be officially launched on May 13, 2025. This action came amidst ongoing controversy over CVE due to U.S. CISA budget cuts.

ENISA introduced its system as the existing CVE system struggled to reflect European policies and realities.

EUVD has a unique identification system similar to CVE (e.g., EUVD-2025-1234), ensuring interoperability and compatibility by listing CVE numbers as well.

EUVD is organized around the cooperation results of CSIRT between countries or actual exploitation cases, making it easy to prioritize risks. It's designed to automatically integrate with open-source analysis tools like Vulnerability-Lookup.

2. China CNNVD

“Cybersecurity should also be locally oriented. Information sovereignty is the start of security.”

The Chinese government operates the official vulnerability database CNNVD (China National Vulnerability Database).

CNNVD is run by CNITSEC (China Information Technology Security Evaluation Center) under the Ministry of State Security (MSS). CNITSEC, part of the 13th bureau of MSS, handles China's cyber operations and intelligence gathering.

Officially, CNNVD analyzes security vulnerabilities in information technology products and systems. It assesses the security risks of the party's and government's information networks and critical information systems, and conducts security tests and evaluations, similar to South Korea's NIS.

CNNVD has its numbering and registration system while referencing U.S. CVE.

Vulnerabilities in Chinese company products are often registered with CNNVD before CVE. Despite censorship control controversies, CNNVD has become an essential system for security responses within China. Some vulnerabilities are registered more quickly than with CVE, leading international researchers to also refer to CNNVD.

CNNVD operates as part of China's cybersecurity strategy and information gathering activities. It's known to function beyond a simple vulnerability database. The international community has raised questions about its reliability due to issues like lack of transparency and publication delays.

Security experts use CNNVD information with cross-verification against various vulnerability databases to ensure accuracy and reliability.

3. Private Companies as Businesses

Private companies are overcoming the limitations of the existing CVE system by providing faster and more detailed security information as a business. Private vulnerability DBs focus on vulnerabilities not registered with CVE or latest security threat information.

Cybersecurity company Flashpoint operates VulnDB. Originally created by Risk Based Security, it is now managed by Flashpoint.

It is a commercial vulnerability DB targeting corporate clients. It's faster and provides more information than CVE. VulnDB includes unofficial vulnerability information not found in CVE, featuring specific details like exploit codes (PoC), real damage examples, and countermeasures. Companies can connect VulnDB via API to integrate it into automated security systems.

Snyk operates a database providing vulnerability information for open-source and cloud environments. This database includes vulnerabilities for various package managers and cloud platforms like npm, Maven, and pip, allowing developers to identify and address potential security issues in the libraries and dependencies they use.