GCVE, the decentralized vulnerability identification system operated by Luxembourg's CIRCL, has officially launched its publishing ecosystem alongside Vulnerability-Lookup 4.1.0. GCVE introduces GCVE Numbering Authorities (GNAs) as autonomous publishers, allowing organizations to issue vulnerability identifiers without routing through a central authority. Existing CVEs map into the GCVE format under GNA ID 0, maintaining backward compatibility. The 4.1.0 release adds full-text search via Meilisearch, eight new vulnerability sources adding over 96,000 advisories, and now aggregates more than one million records from 25+ sources. The system uses a federated model where independent Vulnerability-Lookup instances synchronize data including KEV references, sightings, and community enrichment. Eligibility to become a GNA is open to CVE CNAs, registered CSIRTs/CERTs, and vendors with official CPE names. The initiative aims to address CVE's centralization problems—bottlenecks, coverage gaps, and policy disputes—while raising questions about potential fragmentation of the vulnerability identifier landscape.
Table of contents
What GCVE Is and How It Works #Publishing Is Open to CNAs, CSIRTs, and Vendors With a Disclosure Policy #Federated Intelligence, Not Just a New ID Format #Feedback from the Security Community #GCVE Aims to Make Vulnerability Data Discoverable Without a Central Gatekeeper #Sort: