Events
,
Governance & Risk Management
,
Infosecurity Europe Conference
VulnCheck’s Garrity on the Uncertainty of the CVE Ecosystem and EUVD’s Limitations
The CVE program and NIST’s National Vulnerability Database continue to be under pressure, despite their critical role in vulnerability tracking. The CVE program narrowly avoided a shutdown due to financial constraints, while the NVD lost critical resources and has not fully recovered after nearly 18 months.
See Also: Enterprise Browser Transforms App Delivery and Compliance
Improved identity management and the use of multi-factor authentication have made credential compromise significantly difficult for attackers. “The next easiest thing is just to exploit vulnerabilities and get access to the network in other ways. And, suddenly everyone’s like, ‘Oh my gosh, we need to do phone management again.’ And I think that’s the reality,” said Patrick Garrity, security researcher at VulnCheck.
The EU Vulnerability Database – despite its potential – remains immature and offers incomplete data that makes it nearly unusable for defenders, Garrity said.
In this video interview with Information Security Media Group at Infosecurity Europe 2025, Garrity also discussed:
- The state of existing vulnerability databases;
- Growth in CVEs and tracking their exploitability;
- The impact of the Cyber Resilience Act on vulnerability disclosure requirements.
As a security researcher at VulnCheck, Garrity focuses on vulnerabilities, vulnerability exploitation and threat actors. He has more than 15 years of experience in security research, marketing, sales and product roles for high-growth SaaS cybersecurity startups including Nucleus Security, Blumira, Censys and Duo Security. Prior to VulnCheck, he was a cybersecurity researcher and vice president of marketing at Nucleus Security.