Vulnerability-Lookup and NIS2 Directive Compliance

Overview

Vulnerability-Lookup is an open-source platform developed to help organizations identify, track, and manage software vulnerabilities. It aggregates data from multiple trusted sources, allows collaborative input, and supports processes aligned with vulnerability disclosure standards.

The NIS2 Directive (Directive (EU) 2022/2555) establishes a high common level of cybersecurity across the EU. This document outlines how Vulnerability-Lookup helps stakeholders meet the directive’s key requirements, especially Articles 11, 12, 21, and 29. The following paragraphs analyse these articles and contextualise Vulnerability-Lookup’s feature support capabilities.

graph LR
    A[NIS2 Directive EU 2022/2555] --> B[Article 11: Tasks of CSIRTs]
    A --> C[Article 12: Coordinated Vulnerability Disclosure]
    A --> D[Article 21: Cybersecurity Risk Management Measures]
    A --> E[Article 29: Cybersecurity information-sharing arrangements]

    B --> F[Vulnerability-Lookup Support]
    F --> F1[National-Level Feed Aggregation]
    F --> F2[Alert and Notification System]
    F --> F3[Proactive Intelligence Gathering]
    F --> F4[Multi-Source Enrichment]

    C --> G[Vulnerability-Lookup Support]
    G --> G1[Vulnerability Disclosure Management]
    G --> G2[GCVE-Compatible Identifier System]
    G --> G3[Integration with ENISA Database]

    D --> H[Vulnerability-Lookup Support]
    H --> H1[Risk Assessment Tools]
    H --> H2[Incident Reporting Mechanisms]
    H --> H3[Compliance Tracking Features]

    E --> I[Vulnerability-Lookup Support]
    I --> I1[Federated Sharing Capabilities]
    I --> I2[Collaborative Features]
    I --> I3[MISP Integration]

Article 11: Tasks of CSIRTs

NIS2 Requirement

National CSIRTs are responsible for a wide range of operational tasks, including:

• Handling and coordination of vulnerabilities
• Issuing early warnings, alerts, announcements, and dissemination of information
• Proactive scanning and detection of vulnerabilities
• Facilitating technical cooperation and situational awareness

Vulnerability-Lookup Support

• National-Level Feed Aggregation: Can be deployed or mirrored by national CSIRTs to maintain a real-time repository of vulnerabilities relevant to national constituents.
• Alert and Notification System: CSIRTs can use the RSS/Atom feeds, sightings, and comment features to disseminate vulnerability intelligence and early warnings.
• Proactive Intelligence Gathering: Built-in APIs and import modules support the ingestion of vendor advisories, bug trackers, and GitHub references for proactive monitoring.
• Multi-Source Enrichment: Tags, references, and community input enable CSIRTs to rapidly understand the context and severity of vulnerabilities affecting their scope.

Article 12: Coordinated Vulnerability Disclosure and European Vulnerability Database

NIS2 Requirement

Member States shall designate a CSIRT to coordinate vulnerability disclosures and help manage multi-party coordination. ENISA will create a European vulnerability database for publicly disclosed vulnerabilities.

Vulnerability-Lookup Support

• Vulnerability Disclosure Management: Supports manual and automated submission of new vulnerabilities and drafts before publication.
• GCVE-Compatible Identifier System: Supports both CVE and decentralized GCVE identifiers, offering flexibility for entities involved in pre-publication coordination.
• Metadata Enrichment: Allows users to enrich vulnerabilities with tags, references, and status to ensure completeness before public coordination.
• Secure API for Programmatic Submissions: Facilitates integration with CSIRT or vendor infrastructure to contribute to national or EU-level databases.
• Comment and Review Workflow: Enables community vetting before publication, aiding trusted disclosure coordination.
• EUVD: EUVD database relies on vulnerability-lookup as source for the European wide database.

Article 21: Cybersecurity Risk-Management Measures

NIS2 Requirement

Entities must take appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. These include:

• Vulnerability handling and disclosure
• Policies for risk analysis and information system security
• Incident handling
• Business continuity
• Supply chain security

Vulnerability-Lookup Support

• Centralized Vulnerability Tracking: Helps entities maintain an up-to-date inventory of known vulnerabilities across software and supply chain components.
• Risk Prioritization via EPSS Integration: Supports Exploit Prediction Scoring System (EPSS), KEV (Known Exploited Vulnerability), Sighting information giving details about exploitation which help prioritize vulnerabilities based on likelihood of exploitation.
• Custom Feeds and Alerts: Enables entities to subscribe to customized feeds (e.g. by vendor/product), facilitating early awareness of vulnerabilities relevant to their environment.
• Comment and Sighting Functionality: Users can document remediation, detection, or exploitation status, supporting internal incident tracking and documentation.
• Vendor Attribution: Automatically links vulnerabilities to vendors and products, enabling stakeholders to identify affected parties more effectively.
• Federated Sharing Capabilities: Integrates with external platforms and CSIRTs, supporting sharing and collaboration across national and EU channels.
• Documentation of Disclosures: Tracks the lifecycle of a vulnerability from discovery to disclosure, including initial state, modification history, and publication.

Summary of Compliance Benefits

Conclusion

Vulnerability-Lookup is a practical, open-source tool that supports organizations, CSIRTs, and Member States in aligning with critical provisions of the NIS2 Directive. With features tailored for vulnerability tracking, coordination, enrichment, and disclosure, it provides a modular foundation for strengthening cybersecurity resilience across the EU.