|
| 1 | +--- |
| 2 | +title: Vulnerability-Lookup and NIS2 Directive Compliance |
| 3 | +description: Vulnerability-Lookup and NIS2 Directive Compliance. |
| 4 | +toc: true |
| 5 | +--- |
| 6 | + |
| 7 | +## Overview |
| 8 | + |
| 9 | +[Vulnerability-Lookup](https://www.vulnerability-lookup.org/) is an open-source platform developed to help organizations identify, track, and manage software vulnerabilities. It aggregates data from multiple trusted sources, allows collaborative input, and supports processes aligned with vulnerability disclosure standards. |
| 10 | + |
| 11 | +The [NIS2 Directive (Directive (EU) 2022/2555)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02022L2555-20221227) establishes a high common level of cybersecurity across the EU. This document outlines how Vulnerability-Lookup helps stakeholders meet the directive’s key requirements, especially Articles 11, 12, 21, and 29. The following paragraphs analyse these articles and contextualise Vulnerability-Lookup's feature support capabilities. |
| 12 | + |
| 13 | +## Article 11: Tasks of CSIRTs |
| 14 | + |
| 15 | +### NIS2 Requirement |
| 16 | +**National CSIRTs** are responsible for a wide range of **operational tasks**, including: |
| 17 | +- **Handling and coordination** of vulnerabilities |
| 18 | +- **Issuing early warnings**, alerts, announcements, and dissemination of information |
| 19 | +- **Proactive scanning** and detection of vulnerabilities |
| 20 | +- Facilitating **technical cooperation** and **situational awareness** |
| 21 | + |
| 22 | +### Vulnerability-Lookup Support |
| 23 | +- **National-Level Feed Aggregation:** Can be deployed or mirrored by national CSIRTs to maintain a real-time repository of vulnerabilities relevant to national constituents. |
| 24 | +- **Alert and Notification System:** CSIRTs can use the RSS/Atom feeds, sightings, and comment features to disseminate vulnerability intelligence and early warnings. |
| 25 | +- **Proactive Intelligence Gathering:** Built-in APIs and import modules support the ingestion of vendor advisories, bug trackers, and GitHub references for proactive monitoring. |
| 26 | +- **Multi-Source Enrichment:** Tags, references, and community input enable CSIRTs to rapidly understand the context and severity of vulnerabilities affecting their scope. |
| 27 | + |
| 28 | + |
| 29 | +## Article 12: Coordinated Vulnerability Disclosure and European Vulnerability Database |
| 30 | + |
| 31 | +### NIS2 Requirement |
| 32 | + |
| 33 | +Member States shall designate a CSIRT to **coordinate vulnerability disclosures** and help **manage multi-party coordination**. ENISA will create a European vulnerability database for publicly disclosed vulnerabilities. |
| 34 | + |
| 35 | +### Vulnerability-Lookup Support |
| 36 | +- **Vulnerability Disclosure Management:** Supports manual and automated submission of new vulnerabilities and drafts before publication. |
| 37 | +- **GCVE-Compatible Identifier System:** Supports both CVE and [decentralized GCVE identifiers](https://gcve.eu), offering flexibility for entities involved in pre-publication coordination. |
| 38 | +- **Metadata Enrichment:** Allows users to enrich vulnerabilities with tags, references, and status to ensure completeness before public coordination. |
| 39 | +- **Secure API for Programmatic Submissions:** Facilitates integration with CSIRT or vendor infrastructure to contribute to national or EU-level databases. |
| 40 | +- **Comment and Review Workflow:** Enables community vetting before publication, aiding trusted disclosure coordination. |
| 41 | +- **EUVD:** [EUVD database relies on vulnerability-lookup](https://euvd.enisa.europa.eu/faq) as source for the European wide database. |
| 42 | + |
| 43 | +## Article 21: Cybersecurity Risk-Management Measures |
| 44 | + |
| 45 | +### NIS2 Requirement |
| 46 | + |
| 47 | +Entities must **take** appropriate and proportionate technical, operational, and organizational **measures to manage cybersecurity risks**. These include: |
| 48 | +- Vulnerability handling and disclosure |
| 49 | +- Policies for risk analysis and information system security |
| 50 | +- Incident handling |
| 51 | +- Business continuity |
| 52 | +- Supply chain security |
| 53 | + |
| 54 | +### Vulnerability-Lookup Support |
| 55 | +- **Centralized Vulnerability Tracking:** Helps entities maintain an up-to-date inventory of known vulnerabilities across software and supply chain components. |
| 56 | +- **Risk Prioritization via EPSS Integration:** Supports Exploit Prediction Scoring System (EPSS), KEV (Known Exploited Vulnerability), Sighting information giving details about exploitation which help prioritize vulnerabilities based on likelihood of exploitation. |
| 57 | +- **Custom Feeds and Alerts:** Enables entities to subscribe to customized feeds (e.g. by vendor/product), facilitating early awareness of vulnerabilities relevant to their environment. |
| 58 | +- **Comment and Sighting Functionality:** Users can document remediation, detection, or exploitation status, supporting internal incident tracking and documentation. |
| 59 | +- **Vendor Attribution:** Automatically links vulnerabilities to vendors and products, enabling stakeholders to identify affected parties more effectively. |
| 60 | +- **Federated Sharing Capabilities:** Integrates with external platforms and CSIRTs, supporting sharing and collaboration across national and EU channels. |
| 61 | +- **Documentation of Disclosures:** Tracks the lifecycle of a vulnerability from discovery to disclosure, including initial state, modification history, and publication. |
| 62 | + |
| 63 | +## Summary of Compliance Benefits |
| 64 | + |
| 65 | +| NIS2 Article | Key Area | Vulnerability-Lookup Contribution | |
| 66 | +|--------------|----------------------------------------------|--------------------------------------------------------------------------| |
| 67 | +| Article 11 | CSIRT operational tasks | Alerting, proactive detection, enrichment, and national-level coordination| |
| 68 | +| Article 12 | Coordinated vulnerability disclosure | API submissions, GCVE support, metadata tagging, and reviewer workflow | |
| 69 | +| Article 21 | Cybersecurity risk-management measures | Risk tracking, auditability and vulnerability information | |
| 70 | + |
| 71 | + |
| 72 | +## Conclusion |
| 73 | + |
| 74 | +**Vulnerability-Lookup** is a practical, open-source tool that supports organizations, CSIRTs, and Member States in aligning with critical provisions of the NIS2 Directive. With features tailored for vulnerability tracking, coordination, enrichment, and disclosure, it provides a modular foundation for strengthening cybersecurity resilience across the EU. |
| 75 | + |
0 commit comments