GCVE Vulnerability Format (Modified CVE Record Format)

• Version: 1.4
• Status: Draft (for Public Review)
• Date: 2025-11-24
• Authors: GCVE Working Group
• BCP ID: BCP-05

This guide is distributed and available under CC-BY-4.0.

Copyright (C) 2025 GCVE Initiative.

Introduction

The Global Common Vulnerabilities and Exposures (GCVE) project aims to provide a decentralized, flexible, and transparent approach to vulnerability identification and publication. A key component of this effort is the definition of a container format for GCVE entries that ensures interoperability (such as existing CNA publication process) across tools and platforms while allowing for extensions beyond the constraints of the current CVE JSON 5.0 specification.

This Best Current Practice (BCP) describes the GCVE container format, which is derived from the CVE Record Format but modified to meet the specific requirements of the GCVE ecosystem. The objective is to maintain familiarity and compatibility with existing CVE-based tooling, while introducing a simpler and more adaptable structure that facilitates decentralized publishing, synchronization between GCVE Numbering Authorities (GNAs), and long-term maintainability.

The container format defined here is intended to serve as a reference for GNAs, tool developers, and consumers of GCVE data. It outlines the minimal required fields, optional extensions, and best practices for implementing and validating GCVE records. By providing clear guidance, this document ensures consistency across the GCVE ecosystem while preserving the flexibility needed for innovation.

GCVE Container Format Overview

The GCVE container format is based on the standard CVE JSON v5 format, ensuring maximum compatibility with existing CVE tooling and practices. To support the goals of the GCVE initiative, a small set of extensions and adaptations are introduced.

The extension is a single GCVE object expressed in JSON, which can currently be attached as an x_ extension, as an ADP (if GCVE becomes one), or using even other JSON-related formats. This is a dictionary that contains all fields specifically assigned and produced by a GCVE Numbering Authority (GNA) within the GCVE framework. This area is reserved for GCVE-specific metadata that extends the base CVE record structure, and also includes fields related to the software/generator part of the GCVE ecosystem, such as vulnerability-lookup. The following keys can be present:

• vulnId: A single key to reference the GCVE-ID allocated for the vulnerability in this document.
• relationships: A new dictionary that explicitly describes the relationship between the GCVE record and other identifiers (such as CVE IDs, vendor advisories, or other vulnerability namespaces).
• x_vulnerability-lookup: A dictionary reserved for fields related to the reference implementation of GCVE, provided by the Vulnerability Lookup project. This namespace enables experimentation and rapid prototyping without impacting the core GCVE or CVE formats.

vulnId Field

The format is a single string, as defined in GCVE-BCP-04. The field MUST be present.

relationships Field

• relationships (array): An OPTIONAL list of relationship objects. Each entry defines a link between this vulnerability and another.
  • Each relationship object contains:
    • destId (string, required) — The target vulnerability or record ID.
    • type (string, required) — The relationship type, as defined below.
    • srcId (string, optional) — The originating record ID, used when the source is different from the current GCVE document.

Potential Relationship Verbs for Vulnerability Identifiers

The following relationship types are based on the VXREF format (as recommended defaults), but the list is not exhaustive and can be extended if additional categories are needed:

• possibly_related — a weak or uncertain association between the records.
• related — a known relationship without asserting inclusion or equivalence.
• not equal — the records are confirmed to describe different issues.
• equal — the records refer to the same underlying vulnerability.
• superset — the current record covers a broader scope than the referenced record.
• subset — the current record covers a narrower scope than the referenced record.
• overlap — the records share a partial but non-nested intersection in scope.

Additional Namespaces Prefixed with x_

The x_ prefix can be used for non-defined namespaces, especially those created by generators or tooling that produce the GCVE record format.

Example Extension Record Attached as An x_ extension

{
  "x_gcve": [
    {
      "vulnId": "GCVE-1-2025-0018",
      "relationships": [
        {
          "destId": "CVE-2025-65095",
          "type": "equal"
        }
      ],
      "x_vulnerability-lookup": {
        "history": [
          [
            "info@circl.lu",
            "2025-11-18T15:33:07.767301Z"
          ],
          [
            "info@circl.lu",
            "2025-11-18T15:49:02.564916Z"
          ],
          [
            "info@circl.lu",
            "2025-11-18T20:39:45.579295Z"
          ]
        ]
      }
    }
  ]
}