Mastodawn

gcve.eu 5d ago

GCVE released cpe.gcve.eu - a collaborative CPE editing platform for transparent vulnerability data.

The service is still in beta and feedback is more than welcome.

🔗 https://cpe.gcve.eu/

#cpe #cve #vulnerabilitymanagement #vulnerability #gcve

gcve.eu May 29

Vulnerability-Lookup 5.0 Released: Making Coordinated Vulnerability Disclosure Easier for GCVE GNAs.

Vulnerability-Lookup 5.0 introduces a new CNA-interoperable API for managing vulnerabilities maintained by a local source.

#cve #gcve #vulnerabilitymanagement #cybersecurity #gna #vulnerability

🔗 https://gcve.eu/2026/05/29/vulnerability-lookup-5.0-released-making-coordinated-vulnerability-disclosure-easier-for-gcve-gnas/

Vulnerability-Lookup 5.0 Released: Making Coordinated Vulnerability Disclosure Easier for GCVE GNAs

The GCVE initiative is pleased to welcome the release of Vulnerability-Lookup 5.0.0, a major new version of the open-source software that powers db.gcve.eu. This release is especially important for the GCVE ecosystem: it introduces new capabilities that make it easier for GCVE Numbering Authorities (GNAs) to manage their vulnerability publication workflows and support a practical Coordinated Vulnerability Disclosure (CVD) process using open, interoperable tooling. Vulnerability-Lookup already plays a central role in the GCVE ecosystem. It provides the foundation for collecting, correlating, publishing, and synchronising vulnerability information across independent sources. With version 5.0, the project takes an important additional step: supporting GNAs not only as publishers of vulnerability records, but also throughout the operational process of reserving identifiers, preparing advisories, managing their state, and publishing structured information.

Alexandre Dulaunoy May 25

Playing with CSAF 2.1 CSD02 and GCVE extensions.

https://discourse.ossbase.org/t/csaf-and-gcve-bcp-05-extensions/1093

I think more and more that having GCVE extension on all vulnerability standard format makes much more sense nowadays.

#gcve #cve #csaf

@gcve

CSAF and GCVE BCP-05/extensions

We had a quick discussion about the use of CSAF in GCVE and especially about BCP-05 (if we stick with CVE record format or going for something more versatile). In order to review, what’s possible, we did a quick extension for CSAF 2.1 CSD available at https://gcve.eu/schema/csaf/extensions/gcve-bcp-05-x-01_1.0.0.json and we tested a conversion of the GCVE enriched CVE dump It’s still in very early stage. We also mention it to the CSAF OASIS TC.

ossbase.org

gcve.eu May 25

During the last three months, from 25 February to 25 May 2026, GCVE has continued moving beyond an identifier-allocation concept into a practical ecosystem for publishing, correlating, enriching and consuming vulnerability information.

What have we accomplished over the past three months? Quite a lot. To learn more about our latest public developments and ongoing work, read our latest status update on the blog:

🔗 https://gcve.eu/2026/05/25/gcve-recent-activities-building-a-decentralised-and-operational-vulnerability-ecosystem/

#cve #gcve #vulnerabilitymanagement #cybersecurity

GCVE recent activities: building a decentralised and operational vulnerability ecosystem

A review of GCVE activities and achievements from 25 February to 25 May 2026, including new and revised Best Current Practices, based on public GitHub work and official GCVE publications.

Justin O'Leary May 22

I'm now GNA 119 under CIRCL's GCVE system — a decentralized vulnerability
identification authority. I have authority to mint vulnerability
identifiers for cloud findings, including ones where vendor CNAs decline
to issue CVEs.

I could start assigning IDs to my own research today. I won't.

Cloud vulnerability validation shouldn't be one person's judgment. Mine
or anyone else's.

I'm forming a consensus panel of practitioners for each major cloud
platform — AWS, GCP, Azure, and managed services. GCVE-119 allocations
will go through panel review, not solo decisions.

Charter, scope, and membership criteria coming. Community input on
structure welcome before anything is finalized.

Background on GCVE and the cloud finding gap:
https://olearysec.com/gcve/

#infosec #vulnerability #GCVE #cloudsecurity #security

GCVE: Global CVE Allocation System

Understanding the decentralized vulnerability identification system, the GNA model, and olearysec's participation as GNA 119.

OLearySec

gcve.eu May 21

We just published a new GCVE repository: gcve-enriched-dumps.

This repository demonstrates a practical and reproducible enrichment pipeline for vulnerability records. The current workflow uses VLAI, a RoBERTa-based model from Vulnerability-Lookup, to estimate vulnerability severity directly from vulnerability descriptions.

For more details: https://gcve.eu/2026/05/21/gcve-enriched-dumps/

@circl

#cve #gcve #vulnerabilitymanagement #cybersecurity #opensource #opendata #ai

Publishing GCVE enriched dumps with VL-AI severity classification

GCVE is not only about allocating vulnerability identifiers. It is also about building a practical, decentralized, and reproducible ecosystem around vulnerability publication, enrichment, and consumption. The new gcve-enriched-dumps repository demonstrates a first concrete automated enrichment pipeline for vulnerability records. The current enrichment published there focuses on VLAI severity classification: a RoBERTa-based model estimates the vulnerability severity from the vulnerability description. This is intentionally different from the LLM-based summarisation and recommendation example available in gcve-eu-ai-extension. The LLM example shows how local models can generate analyst-oriented summaries and recommendations, but those LLM-generated summaries are not what is currently published in gcve-enriched-dumps.

Claus Cramon Houmann May 19

RE: https://infosec.exchange/@sambowne/116593682047881738

If I understood #GCVE correctly, this is exactly the sort of case where you want to use this process to assign a #GCVE identifier, @adulau -> what do you think?

gcve.eu May 17

We are happy to announce a new extension mechanism in the GCVE vulnerability format, starting with a very practical and timely one: AI-assisted vulnerability information annotations.

The first extension, GCVE BCP-05-X-01, defines how GCVE records can describe when AI or automated processing was used to create, enrich, summarize, classify, or analyze vulnerability information.

#ai #ia #gcve #vulnerabilitymanagement #vulnerability #opensource #openstandard

🔗 https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/

GCVE BCP-05-X-01 - AI-Assisted Vulnerability Information Annotation

An extension to GCVE BCP-05 to support the annotation of vulnerability records where Artificial Intelligence (AI) or automated processing has been used during their creation, enrichment, or analysis.

Alexandre Dulaunoy May 17

GCVE has published a description of the scope of a GCVE record. It is based on feedback, misunderstandings from articles about the GCVE initiative, and ideas from GNAs actually assigning IDs.

The document is still in draft before in a final publication. Feedback is welcome via the standard Discourse platform.

BCP-09 -> https://gcve.eu/bcp/gcve-bcp-09/

#gcve #cve #vulnerability #opensource #vulnerability #cybersecurity

https://social.circl.lu/@gcve/116588958833692618

gcve.eu May 17

GCVE-BCP-09: Scope of a GCVE Record

This document clarifies what is actually recorded in GCVE. A GCVE record is not limited to the traditional concept of a vulnerability description. In the GCVE model, records are assigned independently by a GCVE Numbering Authority (GNA) and may represent a broader set of vulnerability-related information.

#cve #gcve #vulnerabilitymanagement #vulnerability #opensource #standard

🔗 https://gcve.eu/bcp/gcve-bcp-09/