Massimiliano Brolli : 6 October 2025 10:34
Very little has been said about this event, which I personally consider strategically important and a sign of a major shift in the management of undocumented vulnerabilities in Italy.
In March 2024, I wrote an article describing a nearly bleak Italian landscape: the culture of undocumented bugs, or zero-days, was practically nonexistent, and there was no active CNA (CVE Numbering Authority) in our country.
Vulnerability management is often left to chance or, worse, hidden behind a veil of secrecy and incapable of fostering dialogue with the research community. That piece, published on Red Hot Cyber, ricocheted across social media and sparked widespread reactions— a sign that something was changing— but at the time, few could have imagined it would herald real change.
The prevailing approach in Italy among software producers is often characterized by a lack of knowledge of undocumented vulnerability management practices , or by the choice of ” security by obscurity “, in the belief that hiding bugs can guarantee security.
This model, while widespread, is inherently fragile: it ignores the reality of contemporary cybersecurity, where every unmanaged vulnerability represents an open door to targeted, sophisticated and increasingly frequent attacks .
Indeed, the culture of obscurity has often led to neglect, slow response, and ultimately, real risks for citizens, institutions, and customers, including national security.
Today, finally, things are changing. Starting in September 2024, two major Italian companies, Almaviva and Leonardo , officially became CNA.
This means they can assign CVE identifiers to vulnerabilities they discover or address through the hacker community, thus entering an international network of responsible security. This isn’t a technical detail: it demonstrates that Italy is starting to take undocumented vulnerabilities seriously and is structuring security processes consistent with global standards.
The transition isn’t just about bug discovery, but about the very way security is conceived . CVD (Coordinated Vulnerability Disclosure) becomes the tool through which companies collaborate with researchers, share information securely, and resolve issues without leaving room for malicious exploitation before patches are released. CVD is, in practice, the bridge between vulnerability discovery and responsible management, a principle that until recently seemed almost utopian in the Italian context.
What is impressive is how this new approach demonstrates that transparency, ethics and collaboration are not obstacles to business , but factors that strengthen it.
Managing bugs openly dramatically reduces the risk of attack, improves corporate reputation, and builds trust among customers and partners. Italy is learning that security is not an accessory, but an enabling factor that can generate tangible value. This is also the result of a slow but significant shift in cybersecurity culture in Italy , supported by the efforts of the National Cybersecurity Agency (ACN) , which, with perseverance and determination , is paving a path for greater awareness and professionalism in the sector.
If we look at the open source experience, we find a consolidated pattern: open projects thrive on collaboration and knowledge sharing. Bugs, patches, and improvements become common property, and the entire community benefits from the results. The lesson is clear: especially in cybersecurity, cooperation is not a risk, but a valuable resource, capable of transforming potential threats into opportunities for growth.
I’ve often emphasized a key concept: ‘hacking is a journey, not a destination.’ For Italian companies, the transition from a lack of zero-day culture, or worse, from security by obscurity , to open and responsible vulnerability management isn’t just a technical feat: it’s a true growth journey , a profound cultural shift that requires vision, awareness, and openness to dialogue with the research community.
It means accepting that security can’t be treated like a trade secret, but rather as a shared commitment to the community, customers, and society as a whole. It requires courage, vision, and leadership, but it paves the way for more resilient and sustainable digital ecosystems.
Almaviva and Leonardo are clearly showing the way: not only do they recognize their responsibility to their customers, but they also value the ethical role of independent researchers and the hacker community , adopting standards and processes that enable the management of undocumented vulnerabilities.
This model demonstrates that transparency and collaboration are not incompatible with competitiveness , but rather strengthen it, transforming risk into an opportunity for continuous innovation and product improvement.
The new Italian approach also reflects a broader shift in mindset: security is not just technical, but social, cultural, and ethical . Responsible vulnerability management requires dialogue, trust, and cooperation between companies, researchers, and communities—principles that form the foundation of a healthy and sustainable digital ecosystem.
The road is still long, and the road to spreading CNA and CVD across all Italian companies has only just begun. But the fact that we now have two official CNAs represents a concrete change , the first sign of a new paradigm.
Despite the progress made, today Italy and all of Europe continue to rely on US processes for vulnerability management: from the National Vulnerability Database (NVD) to the CNA numbering authorities, the US model dictates global standards.
Although there is a European project, the European Vulnerability Database (EUVD) managed by ENISA, it remains in its infancy and far from having a vulnerability classification model as structured as the US one developed by MITRE and NIST.
From a European strategic autonomy perspective, it would be desirable to develop a system similar to the US one, integrating enumeration, risk assessment, and coordinated vulnerability management . This model already exists in China with the CNNVD , the national repository that combines enumeration and risk assessment processes, demonstrating how a national (and European) approach can ensure control, consistency, and timeliness in the management of critical bugs.
The dream, therefore, is to see a mature and independent European system , in which ENISA can manage a European model for classifying and managing undocumented bugs, with clear standards, shared risk assessment processes, and a transparent repository accessible to researchers, companies, and institutions. This would not be just a technical feat: it would represent a cultural and strategic leap for the entire cybersecurity community, a signal that Europe wants to build autonomy in cybersecurity, enhance collaboration with the hacker community, and protect citizens with its own modern and reliable tools.
Until then, every step taken by Italian companies, every CNA established and every CVD managed responsibly remains a small but fundamental piece of this long journey: a journey that leads from dependence on others towards conscious, ethical and autonomous security .
Massimiliano Brolli