Page

GCVE: Global CVE Allocation System

Understanding the decentralized vulnerability identification system, the GNA model, and olearysec's participation as GNA 119.

119
olearysec GNA ID
31
Registered GNAs
0
CVE Legacy GNA
EU
Co-funded by ECCC

The Problem GCVE Solves

CVE: Centralized Control
  • Single contract controls the namespace
  • Vendors assign their own CVEs
  • Researchers can't mint identifiers
  • Disputed findings disappear
GCVE: Federated Model
  • Multiple authorities share the namespace
  • Independent GNAs can allocate IDs
  • Researchers get identifier authority
  • Findings persist regardless of vendor

When a vendor CNA declines to issue a CVE, the finding effectively disappears from the shared identifier namespace. This has been documented across major cloud providers—see Tenable’s Azure Service Tags research[2], Orca’s AutoWarp disclosure[2], and Wiz’s BingBang finding[2].

GCVE changes this: qualified independent authorities can mint identifiers for the same vulnerability, creating a parallel record that exists regardless of vendor cooperation.

GCVE Identifier Format

GCVE-119-2026-0001 GNA ID Year Sequence

CVE-2024-1234 = GCVE-0-2024-1234 (GNA 0 = legacy CVE)

Decentralized
GNAs allocate independently—no block requests needed
CVE Compatible
All existing CVEs map via GNA ID 0
255 Char Max
Ensures compatibility across all systems
Federated DB
db.gcve.eu aggregates all GNA records

Who Operates GCVE

CIRCL
Computer Incident Response Center Luxembourg
Institutional role: Luxembourg's national CERT, part of Luxembourg House of Cybersecurity (LHC). CVE Numbering Authority under ENISA Root. National CVD coordinator under NIS 2.

GCVE infrastructure: Operates db.gcve.eu, maintains Vulnerability-Lookup reference implementation. EU co-funded via FETTA initiative under ECCC.[7][8]

Important clarification: GCVE is not “the EU’s CVE alternative.” It is CIRCL’s project, EU co-funded, designed to complement CVE—not replace it. The system maintains full backward compatibility with existing CVE identifiers.

Federation Architecture

GNA 1 CIRCL GNA 3 Red Hat GNA 119 olearysec GNA 114 Siemens GNA 404 VulnCheck GCVE Federation db.gcve.eu Aggregates vulnerability records from all GNAs into unified knowledge base

Each GNA publishes vulnerability records independently. Records propagate across the federation without central control over the namespace.[9]

Registered Authorities

31 registered GNAs as of May 22, 2026. Live directory · Frozen snapshot
National CERTs
CIRCLGNA 1
EUVD (ENISA)GNA 2
SK-CERTGNA 106
CERT-QCGNA 112
DFN-CERTGNA 680
NCSC-CHGNA 1291
Vendor PSIRTs
Red HatGNA 3
EricssonGNA 101
Thales PSIRTGNA 107
SiemensGNA 114
Nozomi NetworksGNA 118
Vuln Intelligence
VulDBGNA 100
SecurinGNA 108
Vulnetix (VVD)GNA 110
VulnCheckGNA 404
Security Research
Cisco TalosGNA 31337
PentagridGNA 2342
Austin HackersGNA 1337
Fluid AttacksGNA 116
MOGWAI LABSGNA 111
Individual Researchers
Currently rare—2 out of 31 GNAs. CIRCL extends identifier authority to qualified independents, not just institutions. Requirements: stable disclosure policy, contact mechanism, identifier integrity commitment.[11]
Adrian Dacka GNA 115
olearysec GNA 119

Why Cloud Security Needs GCVE

Traditional Software
v2.4.1
CVE-2024-1234
v2.4.2
Scanners detect → Users patch → Verified
Cloud Service
Always latest
No CVE
vendor declined
Silent fix
No trackable record exists
With GCVE: Independent researchers create parallel records
GCVE-119-2026-0001
Assigned by olearysec
Trackable record
in db.gcve.eu
Defenders search,
track, document

The cloud breaks the CVE model: No version numbers. No scanner signatures for service-level flaws. Vendor controls the narrative—declining a CVE removes it from the shared namespace.

GCVE restores visibility: When a vendor declines to acknowledge a finding, an independent GNA mints an identifier. The silent-patch window becomes visible. The finding persists regardless of vendor cooperation.

olearysec as GNA 119

119
olearysec.com
Registered May 22, 2026
Scope
Cloud security: Azure, GCP, AWS, Kubernetes managed services
Disclosure Model
Coordinated, 90-day default timeline
Advisories
/advisories/ (human) · /advisories.json (machine)
Allocation Criteria
Working PoC
Third-party validation
Observable silent fix

Limitations

Tooling adoption uneven
US-centric scanners and SIEMs primarily consume CVE. GCVE requires explicit integration.
NIS2 doesn't mandate GCVE
The directive references CVD broadly—no specific GCVE requirement.
Duplication risk
Multiple GNAs may assign IDs to the same vuln. By design, but can cause confusion.[13]
Not vendor acknowledgment
A GCVE ID is a parallel record. Vendors may still dispute, ignore, or never patch.

GCVE is infrastructure, not a solution. It expands who can create trackable vulnerability records. Whether that improves outcomes depends on how the security community uses it.

References

  1. CyberScoop: GCVE vulnerability database launches — April 2025 CVE funding crisis context
  2. Disputed cloud findings: Tenable Azure Service Tags, Orca AutoWarp, Wiz BingBang
  3. GCVE About Page — "The GCVE initiative is operated by CIRCL"
  4. GCVE FAQ — Decentralized allocation without block pre-allocation
  5. GCVE FAQ — CVE compatibility via GNA ID 0
  6. GCVE-BCP-04 — ID format, naming conventions, 255-char limit
  7. CIRCL Official Site — Luxembourg CERT, ENISA CNA, NIS 2 CVD coordinator, FETTA
  8. Vulnerability-Lookup — GCVE reference implementation
  9. Socket.dev — Federation model analysis
  10. gcve.eu/dist/gcve.json — Live GNA directory
  11. GCVE-BCP-06 — GNA requirements
  12. GCVE-BCP-02 — Vulnerability handling guide
  13. GCVE-BCP-04 — Multiple IDs per vulnerability permitted

Last updated: 2026-05-22