Publishing Vulnerability Information with GCVE

One of the main goals of the GCVE ecosystem is to make vulnerability publication simple, independent, and decentralized.
Organizations and researchers should be able to publish vulnerability information without relying on a central authority while still making their data globally discoverable.

With GCVE, publishing vulnerability information can be done in three straightforward steps.

Publish in Three Steps

Getting started with GCVE requires minimal effort.

1. Install a GCVE-compatible platform

Install a GCVE-compatible software implementation such as:

• Vulnerability-Lookup – the open source reference implementation of the GCVE ecosystem.

Vulnerability-Lookup allows you to:

• manage vulnerability records
• enrich vulnerabilities with additional metadata
• automatically publish your data using the GCVE synchronization protocol

The software can run locally or on your own infrastructure and remains fully under your control.

2. Request a GNA identifier

To allocate GCVE identifiers and publish vulnerabilities, you need a GNA (GCVE Numbering Authority) ID.

A GNA identifier uniquely identifies the organization responsible for allocating GCVE identifiers and publishing vulnerability records.

You can request a GNA ID from GCVE.eu.

3. Configure your instance

Once you receive your GNA ID, you simply configure your instance:

• set your assigned GNA identifier in the vulnerability configuration gna-<YOUR GNA ID in key local_instance_name of generic.json of your vulnerability-lookup configuration
• your vulnerability-lookup instance must be publicly available.

Your instance will then start publishing vulnerability records that can be discovered and synchronized by other GCVE-compatible systems.

This allows your vulnerability information to be automatically aggregated by platforms such as Vulnerability Lookup and other ecosystem participants.

Who Can Become a GNA?

You are eligible to receive a GNA ID if you meet one of the following criteria:

Existing CNA

• You are an existing CNA recognized by the CVE Program.

Organizations Not Acting as a CNA

You may also qualify if one of the following conditions applies:

• You are a registered CSIRT or CERT listed at FIRST.org, part of the EU CSIRTs Network, or a member of TF-CSIRT.

• You are a software, hardware, or service provider that regularly discloses vulnerabilities affecting your own products or services, and you have an official CPE vendor name assigned.

• You have a public vulnerability disclosure policy and maintain a publicly accessible source for newly disclosed vulnerabilities in GCVE-BCP 05 format.

If you fall into one of the above categories, please send an email to:

gna@gcve.eu

Include your organization’s name and request a GNA ID.

Publishing More Than Security Advisories

GCVE is not limited to publishing vendor advisories.

You can also publish vulnerability metadata and enrichment information, such as:

• Known Exploited Vulnerabilities (KEV) references
• comments or analysis
• threat intelligence context
• enrichment data
• cross-references to other vulnerability records

If your goal is not to publish advisories, but simply to enrich vulnerability information, you only need to install Vulnerability-Lookup.

Instances of Vulnerability-Lookup can synchronize with each other, sharing vulnerability metadata across the ecosystem. This allows organizations to contribute additional context without maintaining a full vulnerability disclosure workflow.

A Decentralized Ecosystem

The GCVE publication model is intentionally lightweight and decentralized.

Each organization:

• controls its own data
• publishes independently
• contributes to a shared vulnerability ecosystem

By combining independent publishers and synchronization between instances, GCVE enables a global vulnerability knowledge base without relying on a single central database.