GCVE-BCP-05 - GCVE Vulnerability Format (Updated CVE Record Format)

GCVE Vulnerability Format (Modified CVE Record Format)

  • Version: 1.0
  • Status: Draft (for Public Review)
  • Date: 2025-10-02
  • Authors: GCVE Working Group
  • BCP ID: BCP-05

This guide is distributed and available under CC-BY-4.0.

Copyright (C) 2025 GCVE Initiative.

Introduction

The Global Common Vulnerabilities and Exposures (GCVE) project aims to provide a decentralized, flexible, and transparent approach to vulnerability identification and publication. A key component of this effort is the definition of a container format for GCVE entries that ensures interoperability (such as existing CNA publication process) across tools and platforms while allowing for extensions beyond the constraints of the current CVE JSON 5.0 specification.

This Best Current Practice (BCP) describes the GCVE container format, which is derived from the CVE Record Format but modified to meet the specific requirements of the GCVE ecosystem. The objective is to maintain familiarity and compatibility with existing CVE-based tooling, while introducing a simpler and more adaptable structure that facilitates decentralized publishing, synchronization between GCVE Numbering Authorities (GNAs), and long-term maintainability.

The container format defined here is intended to serve as a reference for GNAs, tool developers, and consumers of GCVE data. It outlines the minimal required fields, optional extensions, and best practices for implementing and validating GCVE records. By providing clear guidance, this document ensures consistency across the GCVE ecosystem while preserving the flexibility needed for innovation.

GCVE Container Format Overview

The GCVE container format is based on the standard CVE JSON v5 format, ensuring maximum compatibility with existing CVE tooling and practices. To support the goals of the GCVE initiative, a small set of extensions and adaptations are introduced:

  • x_gcve: A dictionary that contains all fields specifically assigned and produced by a GCVE Numbering Authority (GNA) within the GCVE framework. This area is reserved for GCVE-specific metadata that extends the base CVE record structure.

  • x_vulnerability-lookup: A dictionary reserved for fields related to the reference implementation of GCVE, provided by the Vulnerability Lookup project. This namespace enables experimentation and rapid prototyping without impacting the core GCVE or CVE formats.

  • relationships: A new dictionary that explicitly describes the relationship between the GCVE record and other identifiers (such as CVE IDs, vendor advisories, or other vulnerability namespaces).

The format of the relationships dictionary is as follows:

"relationships": [
  {
    "source": "GCVE-65535-2025-000123",         // the source identifier (e.g., this GCVE entry)
    "relationship-type": "is-equivalent-to",    // the verb describing the relationship
    "target": "CVE-2025-12345"                  // the related identifier
  }
]

Potential Relationship Verbs for Vulnerability Identifiers

The relationship-type field should use controlled vocabulary verbs to describe the semantic link between identifiers. The currently proposed list:

  • is-equivalent-to — The identifier corresponds directly to another identifier.
  • supersedes — The identifier replaces or updates a previous one.
  • is-superseded-by — The identifier has been replaced or updated by another.
  • duplicates — The identifier is a duplicate of another.
  • is-duplicated-by — Another identifier is a duplicate of this one.
  • refers-to — The identifier references related material without strict equivalence.
  • is-related-to — A weak or general relationship where the exact nature is undefined but relevance is established.
  • is-parent-of — The identifier describes a broader vulnerability or set that includes the target.
  • is-child-of — The identifier is a subset or more specific case of the target.
  • has-same-root-cause-as — The identifier shares the same root cause with another.
  • is-variant-of — The identifier represents a variant or closely related issue of another.
  • has-variant — The identifier has one or more related variants described elsewhere.
  • is-successor-to — The identifier is the successor in a chain of identifiers.
  • is-predecessor-of — The identifier is the predecessor in a chain of identifiers.
  • is-alias-of — The identifier is known under another name/namespace.
  • has-alias — The identifier has one or more alternate names/namespaces.