There is a new kid in the town GCVE!

Leave a Comment / CVE, Vulns / By

In first quarter of 2025 while reading about CRA, I came across Global CVE (GCVE) allocation system. I believe I heard about GCVE in a open source security podcast. By the way this is a nice podcast if you are interested to know about open source security.

After hearing much about CVE program and its bottle necks it is very understandable why GCVE was created. Few challenges in CVE program are:

  • New CVEs Received vs Analyzed Over Time – This shows the growing gap between submissions and processing.
  • CVE Status Breakdown – A clear view of many CVEs are in limbo (awaiting, undergoing analysis, or deferred).
  • Modified CVEs Re-analyzed – limited effort allocated to reprocessing modified vulnerabilities.

For more details check this blog from Phonenix security.

Now lets dive into what factors contributed to creation of GCVE. Computer Incident Response Center Luxembourg (CIRCL) developed the open source vulnerability-lookup project to address past challenges in collecting diverse sources, ensuring both diversity and stability.

While maintaining the project, CIRCL identified many shortcomings in ID allocation and correlation when using and operating the vulnerability.circl.lu instance(s). To address this, we created GCVE.eu as a resilient ID allocation system, designed to ensure autonomy from various vulnerability publishers and improve stability in identifier correlation.

While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.

This pegs a question, about who can become GNA. Well, this is very well described here.
For ease of reading see below:

  1. You are an existing CNA recognized by the CVE Program.
  2. You are not a CNA, but you meet one of the following conditions:
  3. You are a registered CSIRT or CERT listed at FIRST.org, part of the EU CSIRTs Network, or a member of TF-CSIRT.
  4. You are a software, hardware, or service provider that regularly discloses vulnerabilities affecting your own products or services, and you have an official CPE vendor name assigned.
  5. You have a public vulnerability disclosure policy and maintain a publicly accessible source for newly disclosed vulnerabilities.

If someone does not fall in one of the above list then email to gna@gcve.eu with their organization’s name and request. This allows GCVE to assign requester with a GNA ID.

What problem does it solve?
As creating CVE could take time and this is not really an easy process. Therefore one could make use of GCVE and create a GCVE ID to start with. When later CVE is created then link GCVE to CVE. Creating just GCVE is not enough if CVE creation is the goal. It is not clear to me if creating GCVE is good enough as per CRA regulation.GCVE is a new allocation system, a decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.

What are advantages of GCVE?
As creating CVE could take time and this is not really an easy process. Therefore one could make use of GCVE and create a GCVE ID to start with. When later CVE is created then link GCVE can be linked to CVE.

Advantages of GCVE system are:

  • Decentralized Allocation: GNAs manage their own ID assignments.
  • Policy Flexibility: GNAs can operate under their own guidelines.
  • Scalability: Helps avoid bottlenecks found in centralized systems.
  • Compatibility: Seamlessly integrates existing CVEs via GNA ID 0.

Compatibility between GCVE and CVE
The link between GCVE and CVE is established using a reserved mapping mechanism, which allows every official CVE identifier to be represented directly in the GCVE system using a unique GCVE format. This ensures compatibility and enables seamless cross-referencing between the two systems.

How the Link Works
Reserved GNA ID: GCVE uses a reserved GNA (GCVE Numbering Authority) ID of “0” to represent traditional CVEs within the GCVE namespace.​

Format: Any CVE ID, such as CVE-2024-12345, is mapped to GCVE as GCVE-0-2024-12345.​ All existing and future standard CVE IDs are represented within the GCVE system using the reserved GNA ID 0. For example, CVE-2023-40224 can be represented as GCVE-0-2023-40224.
A real example from vulnerbility.circl.lu for CVE-2025-12285. Below one can see GCVE created with “0” GNA.

Conclusion
This is very interesting project. Organisations can consider to become GNA and start publishing vulnerabilities faster using GCVE.

Leave a Comment

Your email address will not be published. Required fields are marked *