GCVE in 8 Months: Building a Decentralized Vulnerability Identification System

In less than a year, in practice, just eight months, the GCVE initiative went from concept to a fully operational, decentralized vulnerability identification and publication system.

This post summarizes what we built, why it matters, and where we stand today.

A New Model for Vulnerability Identification

GCVE was created to address a long-standing structural limitation in vulnerability management: centralized allocation and control.

Instead of relying on a single global authority, GCVE introduces a resilient and autonomous system where independent entities can:

Obtain allocation prefixes
Identify and allocate vulnerability information
Publish vulnerabilities without depending on a central bottleneck
Interoperate through open, documented mechanisms

At its core, GCVE is about federation, autonomy, and resilience, while remaining compatible with existing vulnerability ecosystems.

Autonomous Prefix Allocation at Scale

One of the first milestones was setting up a robust allocation mechanism for GCVE prefixes.

This allows entities willing to take responsibility for vulnerability identification to become GCVE Numbering Authorities (GNAs). Each GNA receives a unique prefix and gains the freedom to:

Allocate identifiers independently
Publish vulnerability data under their own governance
Synchronize their data with others through open protocols

This design deliberately avoids gatekeeping and emphasizes accountability over central control.

Five Best Current Practices (BCPs)

To ensure consistency, trust, and interoperability, we delivered five Best Current Practice documents covering both technical and operational aspects of the GCVE system.

These BCPs span topics such as:

Operation of the GCVE system
Identifier allocation and governance
Synchronization mechanisms
Vulnerability data handling and publication
Best practices for responsible vulnerability management

Four out of the five BCPs are already published and available at:

GCVE-BCP-01 - Signature Verification of the Directory File - [PDF] - Published 25th April 2025 - State: PUBLISHED (Public Review) - Version 1.1
GCVE-BCP-02 - Practical Guide to Vulnerability Handling and Disclosure - [PDF] - Published 9th December 2025 - State: PUBLISHED (Public Review) - Version 1.3
GCVE-BCP-03 - Decentralized Publication Standard - [PDF] - Published 10th June 2025 - State: DRAFT (Public Review) - Version 1.0
GCVE-BCP-04 - Recommendations and Best Practices for ID Allocation - [PDF] - Published 2nd October 2025 - State: PUBLISHED - Version 1.3
GCVE-BCP-05 - GCVE Vulnerability Format (Modified CVE Record Format) - [PDF] - Published 9th December 2025 - State: DRAFT (Public Review) - Version 1.5

Importantly, these are not theoretical documents — they are actively implemented and deployed.

From Specification to Implementation

GCVE is not just a set of ideas or documents.

The published BCPs are already implemented in multiple software projects, including:

vulnerability-lookup, which provides a complete, functional reference implementation for:
- Publishing vulnerabilities
- Synchronizing data across GNAs
- Operating a distributed vulnerability database

This proves that decentralized vulnerability publication is not only possible, but practical and deployable today.

A Network Built on Open Information

In parallel with the technical work, we built a growing network of GNAs and contributors.

Key characteristics of this network:

Participation based only on open information
No privileged access or closed data feeds
Transparent processes
Shared responsibility for data quality and stewardship

This reinforces one of GCVE’s core principles: openness as a foundation for trust.

What We Achieved in 8 Months

To summarize:

✅ Designed and deployed a decentralized vulnerability identification model
✅ Implemented autonomous prefix allocation for GNAs
✅ Delivered 5 BCP documents, with 4 already published
✅ Deployed real-world software implementations
✅ Built a distributed network of GNAs and contributors
✅ Proved that vulnerability publishing can be federated, resilient, and open

Looking Forward

GCVE is still young, but the foundation is now solid:

Specifications exist
Implementations run in production
Governance is documented
The community is growing

The next phase will focus on adoption, interoperability, and feedback, ensuring that GCVE continues to evolve as a practical, community-driven alternative for vulnerability identification and publication.

If you are interested in operating a GNA, contributing implementations, or providing feedback on the BCPs, now is the right time to get involved.

GCVE operates a public discourse instance for GCVE.

GCVE was an experiment but after eight months, it is already a working system.

GCVE: Global CVE Allocation System - Video and Presentation Published (VSS 2025)GCVE Announces the Launch of db.gcve.eu: A New Open Public Vulnerability Advisory Database