#gcve — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #gcve, aggregated by home.social.
-
@Le_suisse @ariadne @gregkh @wdormann @Viss @andrewnez @Di4na
Yes! The #GCVE folks are really on the ball about all this
I would be willing to bet a milkshake they will be one of the more authoritative sources in the future
-
RE: https://social.circl.lu/@gcve/116472772889791098
After the recent hackathon and the feedback from different contributors, we published a first draft version of GCVE-BCP-10 to refresh the Common Platform Enumeration model.
https://infosec.exchange/@gcve@social.circl.lu/116472772989905449
-
Does anyone know how to report errors to https://db.gcve.eu/? Just their
info@mail? I looked up CVE-2026-6042 and CVE-2026-40200 there because I was annoyed that the NVD database (which #Buildroot uses for automated vulnerability checks) still didn't have them correctly labeled with the CPE (so automated tools can't identify the package is vulnerable).
Result: CVE-2026-40200 is correctly labeled (good!), while CVE-2026-6042 is not (different vendor/product). Mistakes happen, an organization that's trying to run as serious vulnerability DB really needs to provide an obvious "report errors here" mail address (or other means, but really… mail). :neocat_glare: #CVE #GCVE -
Heureux de lire un article qui comprend bien les enjeux de la gestion des vulnérabilités et qui reflète bien notre démarche avec le projet GCVE.
"Le Global CVE Allocation System, soutenu par l’UE, a été lancé début janvier. Cet événement fait suite aux problématiques de financement du programme CVE, opéré par MITRE Corporation et soutenu par le gouvernement américain. L’initiative illustre la manière dont l’UE affirme son influence normative tout en atténuant sa dépendance aux infrastructures non européennes. Cette dimension prend toute son importance à l’heure du retour de la compétition entre grandes puissances."
#gcve #cve #europe #vulnerabilitymanagement #opensource #opendata
-
Working on a prototype for collaborative CPE editing, including relationship handling. It is starting to come together, and I see a lot of potential in extending the CPE format to make it more useful.
Maybe join me at hackathon.lu if you want to be part of this.
-
VulnMCP can now leverage multiple skills to classify vulnerability descriptions written in English, Russian, or Chinese.
https://github.com/vulnerability-lookup/VulnMCP
#AI #Orchestration #NLP #MCP #VulnerabilityLookup #Vulnerability #CVE #GCVE #Agentic #Python #OpenSource #Transformers
-
Just submitted - “GCVE Backstage: BCPs, Tooling, and Hackathon Opportunities” for hackathon.lu to show what can be done during the hackathon with the GCVE.eu project.
If you want a voucher to join the hackathon, let me know.
-
For hackathon.lu, I was initially unsure what my main project would be, but I ultimately decided to focus on implementing the future GCVE BCP-10.
GCVE-BCP-10: Improved Common Platform Enumeration for GCVE
The idea is combine it with the cpe-guesser and have a registry to facilitate the interaction with the CPE values to handle vendor and product references.
#gcve #cve #cpe #opensource #cybersecurity
🔗 Draft https://discourse.ossbase.org/t/gcve-bcp-10-improved-common-platform-enumeration-for-gcve/1042
🔗 Hackathon https://hackathon.lu/
-
VulnMCP is an MCP server built with FastMCP that provides AI clients, chat agents, and other automated systems with tools for vulnerability management. It offers modular "skills" that can be easily extended or integrated, enabling intelligent analysis and automated insights on software vulnerabilities.
A new component in the galaxy of tooling of vulnerability-lookup.
Thanks to @cedric who is becoming an orchestrator for many AI tools nowadays.
#cve #gcve #vulnerability #vulnerabilitymanagement #opensource #ai #mcp #vulnerabilitylookup
-
cpe-guesser 2.0 released - Multi-Source CPE Imports, Better Ranking, and Greater Autonomy Beyond NVD
Version 2.0 brings major improvements to CPE import, ranking, and CVE v5 data handling. This release focuses on better import performance, broader format support, improved search relevance, and more robust indexing for vendor and product matching.
A notable change in this release is that cpe-guesser is no longer limited to NVD as its only practical CPE source. In addition to the NVD feeds, it can also leverage the Vulnerability-Lookup dump available at https://vulnerability.circl.lu/dumps/ , providing additional CPE sources and more autonomy from the previously NVD-only source model.
This release lays an important foundation for improving the GCVE ecosystem, especially by strengthening vendor and product references through better CPE source diversity, indexing, and matching capabilities. If you have ideas for further improvements, additional data sources, or better ways to refine vendor and product identification, we would be very happy to hear your feedback.
https://www.vulnerability-lookup.org/2026/03/22/cpe-guesser-2.0-released/
https://github.com/vulnerability-lookup/cpe-guesser
#gcve #cve #opensource #cpe #vulnerability #vulnerabilitymanagement
-
gcve-eu-kev updated — a CISA KEV and ENISA CNW/EUVD to GCVE BCP-07 converter.
It now also includes a generic RSS/Atom exporter for any GCVE KEV BCP-07 feed.
#cybersecurity #gcve #kev #cve #vulnerability #vulnerabilitymanagement
🔗 https://github.com/gcve-eu/gcve-eu-kev
🔗 https://gcve.eu/bcp/gcve-bcp-07/ -
With the recent integration of CERT-VDE’s CSAF advisories, it becomes even clearer why diverse vulnerability data sources are essential.
CSAF delivers direct vendor remediation information, and when correlated with the CVE Program , it highlights how important federation and data correlation are for remediation efforts and vulnerability management as a whole. (See example below)
🔗 https://db.gcve.eu/vuln/vde-2025-066
#gcve #cve #vulnerabilitymanagement #cybersecurity #opensource
-
A new pull request for Vulnerability-Lookup adds a CSAF producer that publishes advisories for many manufacturers.
This is great for defenders and researchers, as it increases the amount of detailed vulnerability information available.
It will push the number of ingested feeds to more than 50 unique sources, highlighting the growing diversity of our data sources.
If someone tells you there is a single source of truth for vulnerability information, they’re ignoring the reality: vulnerability intelligence comes from many different sources.
Thanks to @rafi0t for the continuous work on adding CSAF and feeds to vulnerability-lookup
#gcve #cve #cybersecurity #csaf #vulnerability #opendata #opensource
🔗 The new PR with many new CSAF sources https://github.com/vulnerability-lookup/vulnerability-lookup/pull/348
🔗 The open source vulnerability-lookup software https://www.vulnerability-lookup.org/
🔗 GCVE instance https://db.gcve.eu/ -
We have scheduled the community meetings for March 2026. This is where you meet fellows working with the same issues, discuss and help us set our priorities for the project.
Register for free here: https://www.gvip-project.org/community/
-
The GCVE.eu initiative will take part in hackathon.lu (14–15 April, Luxembourg), alongside core developers of GCVE-related projects. See you there to build, experiment, and collaborate!
-
🚀 CodeClarity v0.0.25-alpha released!
New in this version:
• Starting our GCVE journey — now fetching vulnerability data from cvelistv5 hosted by CIRCL
• Archive upload — import projects from .zip archives, no git repo required
• Smarter vuln detection — fewer false positives, multi-language analysisComing soon: Beta release!
🦉 Open-source alternative to Snyk & Checkmarx
🌐 www.codeclarity.io#OpenSource #CyberSecurity #DevSecOps #InfoSec #FOSS #AppSec #GCVE #SCA #VulnerabilityManagement
-
Many people are concerned about the CRA requirements, especially how they map to real-world coordinated vulnerability disclosure (CVD) processes.
I tried to map the standard to the functionality we have in GCVE.eu to see how it could be integrated into a standard CRA process and support compliance.
🔗 https://discourse.ossbase.org/t/cra-and-gcve-overview/1017
#cra #vulnerability #vulnerabilitymanagement #cybersecurity #gcve
-
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
-
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
-
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
-
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
-
Join our community and contribute to the work! Register today at https://www.gvip-project.org/community/
-
Acknowledging Reality in Vulnerability Disclosure.
Every few years, vulnerability disclosure is declared settled. We are told that the ecosystem has matured, that coordinated disclosure is the answer, and that whatever remains outside this model is either irresponsible, obsolete, or simply irrelevant.
🔗 https://www.foo.be/2026/02/Acknowledging-Reality-in-Vulnerability-Disclosure
#vulnerabilitymanagement #gcve #cve #cybersecurity #cvd #vulnerabilitydisclosure #open
This is my bloody personal blog, not an official statement. .
-
Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.
You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.
Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”
#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
-
Following a great question from CERT.PL about GCVE KEV assertion format and especially about the confidence level for an evidence of a vulnerability assertion.
We made a first table of confidence level for the evidence in the KEV record format.
#kev #gcve #format #vulnerability #openstandard
🔗 Discussions / Proposal https://discourse.ossbase.org/t/kev-known-exploited-vulnerabilities-potential-format-bcp-07/744/36?u=adulau
🔗 GCVE BCP-07 https://gcve.eu/bcp/gcve-bcp-07/
-
We’ve just set up a Matrix channel for Vulnerability-Lookup and GCVE discussions.
Matrix public room:
#vulnerability-lookup-public:matrix.circl.luThis space is intended for informal discussions. For standard and more detailed discussions, we recommend using:
🔗 vulnerability-lookup discourse https://discourse.ossbase.org/c/vulnerability-lookup/6
🔗 GCVE discourse https://discourse.ossbase.org/c/gcve/14
-
GCVE will be at hackathon.lu - April 14th and 15th, 2026
So if you want to work on all the cool stuff around vulnerability management, federated publication of vulnerability information, analytics, and anything related to vulnerabilities, join us.
#gcve #opensource #vulnerabilitymanagement #cybersecurity #federated
🔗 https://discourse.ossbase.org/t/gcve-will-be-hackathon-lu-april-14th-and-15th-2026/757
🔗 https://gcve.eu -
Exports matter to us. A lot. You’ve been warned 😉
Vulnerability-Lookup now supports KEV catalog export to NDJSON.#OpenData #KEV #CVE #GCVE #Vulnerability #OpenSource #CyberSecurity
-
Huge thanks to Cédric @cedric and Jerry Gamblin @jgamblin and the #FOSDEM participants for the great constructive feedback on the new GCVE-BCP-08.
There are still some open questions concerning the existing fields from the CVE program (CNA) and how we would include those in the directory file.
Feel free to comment on update on the discourse below.
#gcve #cve #openstandard #vulnerabilitymanagement #opensource
🔗 Updated early draft version available https://discourse.ossbase.org/t/gcve-bcp-08-gcve-gna-directory-file-draft/754/5?u=adulau
-
While listening to discussions about federated systems and protocols at #fosdem (like the one I’m currently using): I realized something.
It recently resonated with me through some past and ongoing projects: when people are afraid of federation, they call it “balkanization” or “fragmentation.”
Sorry for the wording @aristot73
-
The GCVE vulnerability database, developed by Luxembourg’s CIRCL, is now publicly available and designed to remain CVE-compatible.
It aggregates advisories from 25+ centralized and decentralized sources, correlates naming conventions, and supports machine-based analysis for security teams and researchers.
The launch reflects ongoing conversations around redundancy, governance, and long-term stability in vulnerability disclosure frameworks.
How do you evaluate new vulnerability data sources before integrating them into your pipeline?
Source: https://www.inside-it.ch/europaeische-cve-alternative-ist-lanciert-20260121
Follow @technadu for objective cybersecurity reporting.
#GCVE #VulnerabilityManagement #ThreatIntel #CVE #SecurityResearch #EUInfosec
-
Die #GCVE-Initiative hat mit db.gcve.eu eine frei zugängliche #Datenbank gestartet, die als zentrale Anlaufstelle für Informationen zu IT-#Schwachstellen dienen soll. Ziel ist es, Sicherheitsteams, Forschenden und Entwicklern das Auffinden und Nachverfolgen von Sicherheitsmeldungen über verschiedene Ökosysteme hinweg zu erleichtern.
Das #Opensource Projekt ist als Schritt hin zu einem dezentralen, föderierten Ansatz im #Schwachstellenmanagement gedacht:
-
KEV Assertion Format – Draft Specification (potential BCP?)
This format describes a generic KEV (Known Exploited Vulnerability) assertion format.
The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except
vulnerability,statusandevidence.[].sourcewhich are recommended.Feedback, ideas, comments more than welcome!
🔗 https://discourse.ossbase.org/t/kev-known-exploited-vulnerabilities-potential-format-bcp/744
-
We’ve updated the draft GCVE BCP-05 standard to introduce flexible record types, making it easier to extend, enrich, and structure security advisories.
Comments are more than welcome!
-
You can now use Sightings in Vulnerability-Lookup to uncover unpublished security advisories.
This feature aggregates early signals from multiple sources — websites, news feeds, social networks, the MISP Project (@misp), Nuclei templates, our community, and more.
Detect threats before they’re officially disclosed!
- https://vulnerability.circl.lu
- https://www.vulnerability-lookup.org/user-manual/sightings
- https://github.com/vulnerability-lookup/vulnerability-lookup -
There's some cool sounding training on its way from @circl
CIRCL - Virtual Summer School (VSS) 2025
https://www.circl.lu/pub/vss-2025/
#MISP #AIL #LookyLoo #Lacus #Pandora #Kunai #DFIR #ThreatHunting #FlowIntel #Cerebrate #VulnerabilityLookup #GCVE
-
GCVE-1-2025-0001published on the CIRCL Vulnerability-Lookup instance (GNA-1)
-
@sergedroz @gcve Hello, thank you for your question.
Both OVR and GCVE share the same goal: strengthening global vulnerability coordination.
However, from what I understand, GCVE is still based on individual instances that could fail without true redundancy.
Additionally, GCVE is maybe not really neutral due to its structure and affiliations.OVR is developing a fully decentralized and resilient concept — not just for vulnerabilities, but also preparing for SBOM integration and considering upcoming legal requirements (e.g., cybersecurity regulations).
Our vision is an open, neutral, and community-based ecosystem that can survive political risks, technical outages, and grow sustainably with the global community.
Further information will follow in the next few days.
#CyberSecurity #VulnerabilityDisclosure #Decentralization #SBOM #OpenStandards #OVRFoundation #Resilience #DigitalSecurity
#CVE #OVR #GCVE #security #it #community
