I'm now GNA 119 under CIRCL's GCVE system — a decentralized vulnerability
identification authority. I have authority to mint vulnerability
identifiers for cloud findings, including ones where vendor CNAs decline
to issue CVEs.

I could start assigning IDs to my own research today. I won't.

Cloud vulnerability validation shouldn't be one person's judgment. Mine
or anyone else's.

I'm forming a consensus panel of practitioners for each major cloud
platform — AWS, GCP, Azure, and managed services. GCVE-119 allocations
will go through panel review, not solo decisions.

Charter, scope, and membership criteria coming. Community input on
structure welcome before anything is finalized.

Background on GCVE and the cloud finding gap:
https://olearysec.com/gcve/

#infosec #vulnerability #GCVE #cloudsecurity #security

We just published a new GCVE repository: gcve-enriched-dumps.

This repository demonstrates a practical and reproducible enrichment pipeline for vulnerability records. The current workflow uses VLAI, a RoBERTa-based model from Vulnerability-Lookup, to estimate vulnerability severity directly from vulnerability descriptions.

For more details: https://gcve.eu/2026/05/21/gcve-enriched-dumps/

@circl

#cve #gcve #vulnerabilitymanagement #cybersecurity #opensource #opendata #ai

RE: https://infosec.exchange/@sambowne/116593682047881738

If I understood #GCVE correctly, this is exactly the sort of case where you want to use this process to assign a #GCVE identifier, @adulau -> what do you think?

We are happy to announce a new extension mechanism in the GCVE vulnerability format, starting with a very practical and timely one: AI-assisted vulnerability information annotations.

The first extension, GCVE BCP-05-X-01, defines how GCVE records can describe when AI or automated processing was used to create, enrich, summarize, classify, or analyze vulnerability information.

#ai #ia #gcve #vulnerabilitymanagement #vulnerability #opensource #openstandard

🔗 https://gcve.eu/bcp/extension/gcve-bcp-05-x-01/

GCVE has published a description of the scope of a GCVE record. It is based on feedback, misunderstandings from articles about the GCVE initiative, and ideas from GNAs actually assigning IDs.

The document is still in draft before in a final publication. Feedback is welcome via the standard Discourse platform.

BCP-09 -> https://gcve.eu/bcp/gcve-bcp-09/

#gcve #cve #vulnerability #opensource #vulnerability #cybersecurity

https://social.circl.lu/@gcve/116588958833692618

GCVE-BCP-09: Scope of a GCVE Record

This document clarifies what is actually recorded in GCVE. A GCVE record is not limited to the traditional concept of a vulnerability description. In the GCVE model, records are assigned independently by a GCVE Numbering Authority (GNA) and may represent a broader set of vulnerability-related information.

#cve #gcve #vulnerabilitymanagement #vulnerability #opensource #standard

🔗 https://gcve.eu/bcp/gcve-bcp-09/

RE: https://social.circl.lu/@gcve/116472772889791098

After the recent hackathon and the feedback from different contributors, we published a first draft version of GCVE-BCP-10 to refresh the Common Platform Enumeration model.

#gcve #cpe #cybersecurity

https://infosec.exchange/@gcve@social.circl.lu/116472772989905449

GCVE-BCP-10: Improved Common Platform Enumeration for GCVE

This document specifies an improved platform enumeration model for GCVE aligned with the current implementation of cpe-editor.

#cpe #cve #gcve #infosec #vulnerabilitymanagement

🔗 https://gcve.eu/bcp/gcve-bcp-10/