Vulnerability-Lookup 5.0 Released: Making Coordinated Vulnerability Disclosure Easier for GCVE GNAs
#announce#GCVE#GNA#vulnerability-lookup#CVD
The GCVE initiative is pleased to welcome the release of Vulnerability-Lookup 5.0.0, a major new version of the open-source software that powers db.gcve.eu.
This release is especially important for the GCVE ecosystem: it introduces new capabilities that make it easier for GCVE Numbering Authorities (GNAs) to manage their vulnerability publication workflows and support a practical Coordinated Vulnerability Disclosure (CVD) process using open, interoperable tooling.
Vulnerability-Lookup already plays a central role in the GCVE ecosystem. It provides the foundation for collecting, correlating, publishing, and synchronising vulnerability information across independent sources. With version 5.0, the project takes an important additional step: supporting GNAs not only as publishers of vulnerability records, but also throughout the operational process of reserving identifiers, preparing advisories, managing their state, and publishing structured information.
A Practical Workflow for GCVE GNAs
A GNA needs more than the ability to allocate an identifier. In practice, a vulnerability handling workflow includes receiving or investigating a report, reserving an identifier, preparing an advisory, coordinating disclosure, publishing the resulting record, and making that information available to the broader community.
Vulnerability-Lookup 5.0 introduces a new CNA-interoperable API for managing vulnerabilities maintained by a local source. This API is also designed to support the needs of GCVE GNAs, enabling organisations to integrate vulnerability publication into their own operational processes while remaining compatible with established approaches in the vulnerability ecosystem.
For GNAs, this means that a Vulnerability-Lookup instance can now support important parts of the CVD lifecycle, including:
- reserving GCVE identifiers;
- preparing and editing vulnerability records;
- managing publication states;
- publishing advisories in a structured format;
- rejecting or deleting records when appropriate;
- synchronising published information with other instances.
This is an important step toward making decentralised vulnerability publication operationally simple, while preserving the autonomy of each GNA.
Vulnogram Integration for Advisory Preparation and Publication
Version 5.0 includes deeper integration with Vulnogram, providing a practical user interface for preparing and managing vulnerability advisories.
Through this integration, GNAs can now perform identifier reservation and vulnerability data management directly within the workflow. New capabilities include:
- a dialog for viewing and reserving identifiers;
- creation of identifier ranges;
- filtering records by state;
- reject and delete actions;
- automatic insertion of reserved identifiers into the advisory form.
This reduces the operational friction associated with handling vulnerabilities and preparing structured advisories. Rather than maintaining disconnected processes for identifier allocation, record creation, and publication, GNAs can rely on a more integrated workflow built on open-source components.
For organisations developing or formalising their CVD processes, this also offers a concrete implementation path: an open tool supporting the transition from vulnerability report handling to publication of a structured advisory.
Compatibility with GCVE and Existing Vulnerability Formats
Interoperability remains a key principle of the GCVE initiative.
Vulnerability-Lookup 5.0 supports advisory management compatible with both the CVE JSON 5.2 format and the GCVE Vulnerability Format defined in GCVE-BCP-05. This allows GNAs to publish GCVE records while remaining close to existing tooling and data models already used across the vulnerability management community.
The release also builds on the decentralised publication model described in GCVE-BCP-03. GNAs can publish vulnerability information from their own infrastructure and make it available for synchronisation with other participating instances, without relying on a single central publication authority.
This combination is essential for the GCVE model:
- GNAs retain control over their own processes and infrastructure;
- vulnerability information can be published in a structured and reusable form;
- other platforms can consume and correlate records from multiple sources;
- compatibility with existing vulnerability ecosystems is preserved.
Configurable GCVE Identifier Allocation
Another important addition in Vulnerability-Lookup 5.0 is support for configurable GCVE identifier allocation ranges.
GNAs can configure the allocation ranges used for identifier reservation, making it easier to organise and operate their own numbering processes. A migration script is also provided for converting existing local-source data to the new GNA identifier format.
These capabilities help organisations adopt GCVE incrementally, including those already operating a Vulnerability-Lookup instance or maintaining their own locally published vulnerability records.
db.gcve.eu is the public vulnerability advisory database operated within the GCVE initiative and powered by Vulnerability-Lookup. It provides an openly accessible interface for collecting and correlating vulnerability information from GCVE GNAs and other public vulnerability sources.
The release of Vulnerability-Lookup 5.0 strengthens the software foundation behind this ecosystem. More importantly, it gives GNAs a practical open-source solution for running their own vulnerability publication infrastructure and contributing to a decentralised, federated, and resilient vulnerability information network.
GCVE is not intended to replace organisational autonomy with a new central platform. Its goal is to enable independent publishers to allocate identifiers, manage disclosures, publish records, and collaborate through open standards and interoperable implementations.
Vulnerability-Lookup 5.0 is a significant contribution toward that goal.
More Improvements in Version 5.0
In addition to the new GNA- and CVD-related capabilities, Vulnerability-Lookup 5.0 introduces several other improvements, including:
- a new view listing Known Exploited Vulnerability (KEV) catalogues;
- an improved presentation of recent sightings;
- refreshed user interface components across several views;
- production reference architecture documentation;
- additional API, Docker, stability, typing, and correctness fixes.
These improvements continue to make Vulnerability-Lookup a robust open-source platform for vulnerability management, correlation, publication, and operational use.
Thank You to the Contributors
The GCVE initiative would like to congratulate and thank the Vulnerability-Lookup contributors for this major release.
A special acknowledgement goes to Niclas Dauster for the substantial contribution behind the new CNA-interoperable API. Contributions such as these demonstrate the value of open-source collaboration in building reusable and interoperable infrastructure for the vulnerability management community.
Get Started
Organisations interested in becoming a GCVE Numbering Authority, publishing vulnerability information, or operating their own Vulnerability-Lookup instance are encouraged to explore the following resources:
- Eligibility and Process to Obtain a GNA ID
- Vulnerability-Lookup project
- GCVE initiative
- db.gcve.eu public vulnerability database
- GCVE-BCP-03: Decentralized Publication Standard
- GCVE-BCP-05: GCVE Vulnerability Format
- GCVE-BCP-02: Practical Guide to Vulnerability Handling and Disclosure
With Vulnerability-Lookup 5.0, GCVE GNAs now have an even stronger open-source foundation for managing coordinated vulnerability disclosure and publishing interoperable vulnerability information in a decentralised ecosystem.