A European cybersecurity organization has launched a decentralized system for identifying and numbering software security vulnerabilities, introducing a fundamental shift in how the global technology community could track and manage security flaws.
The Global CVE Allocation System, or GCVE, will be maintained by The Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when the Cybersecurity and Infrastructure Security Agency initially failed to renew its contract with MITRE, the nonprofit that operates the CVE system. A last-minute extension averted immediate collapse, but the near-miss exposed the 25-year-old program’s dependence on a single funding source and triggered development of competing models.
Unlike the traditional CVE system, which relies on a centralized structure for assigning vulnerability identifiers, GCVE introduces independent numbering authorities that can allocate identifiers without seeking blocks pre-allocated from a central body or adhering strictly to centrally enforced policies. Each approved numbering authority receives a unique numeric identifier that becomes part of the vulnerability identification format, allowing organizations to assign identifiers at their own pace and define their own internal policies for vulnerability identification.
The system maintains backward compatibility with the existing CVE infrastructure through a technical accommodation. All existing and future standard CVE identifiers are represented within the GCVE system using the reserved numbering authority designation of zero. A vulnerability identified as CVE-2023-40224 in the traditional system can be represented as GCVE-0-2023-40224, allowing the new framework to coexist with established practices without disrupting existing databases and tools.
The system’s emergence reflects broader concerns about the CVE program’s governance and sustainability. The April funding crisis occurred less than a month after MITRE celebrated the program’s 25th anniversary, creating what several experts described as panic among cybersecurity defenders who rely on CVE identifiers as the foundation for tracking, disclosing, and remediating software vulnerabilities. The near-shutdown followed a separate 2024 funding crisis at the National Institute of Standards and Technology, which stopped providing critical metadata for many vulnerabilities due to budget shortfalls. In May of last year, the Department of Commerce’s inspector general launched an audit of that program. The office did not respond to CyberScoop’s inquiry about the audit’s status.
The GCVE system fits within the European Union’s cybersecurity infrastructure, which includes the EU Computer Security Incident Response Teams network coordinated by the European Union Agency for Cybersecurity. ENISA operates the European Union Vulnerability Database, which relies on CIRCL’s vulnerability-lookup software.
Organizations seeking to become GCVE numbering authorities can apply by contacting CIRCL, with existing CVE numbering authorities and organizations meeting eligibility criteria able to provide basic organizational information similar to the format used in the numbering authority directory file. The approach allows for expansion while maintaining coordination through the central registry.
Following last year’s funding crisis, the CVE Foundation formed as a U.S.-based nonprofit seeking to establish private-sector and multi-government funding for vulnerability tracking, with treasurer Pete Allor stating that financial backers are close to being announced and the foundation could be operational by the end of 2025. CISA published its own reform vision in September, outlining plans to expand participation, diversify funding, and improve data quality, though several experts said the agency has not reached out to organizations developing alternative systems. The Institute for Security and Technology released a separate proposal in October calling for creation of a Global Vulnerability Catalog that would build upon the existing CVE program with expanded governance and diverse funding while maintaining U.S. government involvement.