GCVE-BCP-06 - Requirements and Evaluation Criteria for GCVE Numbering Authorities (GNAs)

GCVE-BCP-06 - Requirements and Evaluation Criteria for GCVE Numbering Authorities (GNAs)

  • Version: 1.0
  • Status: Draft (for Public Review
  • Date: 2026-02-15
  • Authors: GCVE Working Group
  • BCP ID: BCP-06

This guide is distributed and available under [CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/leg alcode).

Copyright (C) 2026 GCVE Initiative.

Introduction and Status Considerations

GCVE BCP-06 aims to define measurable operational expectations for GCVE Numbering Authorities (GNAs). Unlike identifier syntax or synchronization protocol specifications, this document addresses governance models, disclosure philosophies, operational transparency, and data quality characteristics. These dimensions are inherently diverse across the GCVE ecosystem.

GNAs may differ significantly in:

  • Disclosure philosophy (coordinated disclosure, partial coordination, immediate full disclosure)
  • Review models (automated allocation vs. human-reviewed publication)
  • Organizational structure (vendor-operated, research-driven, community-based, independent)
  • Resource availability and operational maturity
  • Legal and jurisdictional constraints

Because of this diversity, achieving broad consensus on normative requirements is expected to be challenging. BCP-06 attempts to balance:

  • Decentralization and autonomy
  • Transparency and accountability
  • Flexibility and measurable conformance

The objective of this document is not to impose uniform operational behavior, but to define a common framework for describing and evaluating operational characteristics in a machine-readable and publicly verifiable way.

Draft Maturity Expectation

It is anticipated that BCP-06 may remain in Draft or evolving status for an extended period. Operational realities across GNAs will likely change over time, and early adopters may surface edge cases not yet captured in this version.

This document therefore embraces an iterative maturity model:

  • Early versions focus primarily on transparency fields.
  • Later revisions may refine metrics based on ecosystem feedback.
  • Some evaluation criteria may be adjusted as empirical data becomes available.
  • Fields may evolve to better reflect real-world operational diversity.

Stability of identifier semantics remains non-negotiable. However, governance and process evaluation criteria are expected to mature over time as the ecosystem stabilizes.

Living Consensus Model

BCP-06 should be understood as:

  • A consensus-seeking document rather than a top-down mandate.
  • A transparency framework rather than a centralized ranking authority.
  • A foundation for ecosystem-driven refinement.

Long-term stability of GCVE depends not on uniformity of GNAs, but on clarity of their operational posture. BCP-06 formalizes that clarity.

Accordingly, implementers and GNAs are encouraged to:

  • Provide feedback on feasibility of metrics.
  • Report operational edge cases.
  • Suggest additional machine-measurable indicators.
  • Participate in periodic revision cycles.

The strength of GCVE lies in decentralized accountability. BCP-06 is designed to support that principle even if “full” consensus requires time.

Introduction

This document defines the requirements and evaluation criteria for GCVE Numbering Authorities (GNAs) operating within the GCVE ecosystem.

It establishes a standardized framework to assess the extent to which GNAs adhere to the GCVE Best Current Practice (BCP) series, covering:

  • Governance
  • Allocation quality
  • Disclosure processes
  • Data interoperability
  • Synchronization with the GCVE reference implementation

To promote transparency and consistency, this BCP introduces a standard set of conformance fields to be embedded in the GCVE directory JSON format. These fields enable:

  • Automated reporting
  • Public visibility of compliance posture
  • Third-party ranking and scoring
  • Longitudinal evaluation

The objective of this document is to ensure accountability while preserving the decentralized nature of GCVE, support continuous improvement, and strengthen trust in the accuracy and integrity of vulnerability identification across the GCVE network.

Design Principles

BCP-06 follows these principles:

  1. Decentralization First - No central approval authority.
  2. Transparency Over Uniformity - Different operational models are allowed.
  3. Machine-Measurable - Boolean or numeric whenever possible.
  4. Public Accountability - Conformance data must be public.
  5. Continuous Improvement - Metrics allow objective tracking over time.

Recognition of Operational Models

GCVE acknowledges that GNAs may operate under different disclosure philosophies and operational constraints.

This BCP does not privilege one model over another but ensures their characteristics are transparently expressed.

Indicative operational profiles include:

Profile Type Description
Automated Allocator Issues identifiers automatically with minimal validation
Community Reviewer Community-driven validation before publication
Vendor Authority Vendor-operated authoritative disclosure
Research Publisher Independent research group publishing advisories
Immediate Full Disclosure Publishes full technical details immediately, without coordinated disclosure delay
Private Publication Only Allocates identifiers and shares vulnerability data exclusively within a restricted user group named as private GNAs

Immediate Full Disclosure GNAs may:

  • Publish exploit details at allocation time
  • Not provide embargo handling
  • Not engage in coordinated vulnerability disclosure (CVD)

BCP-06 evaluates transparency and stability and not the disclosure philosophy of a GNA.

Requirement

A GCVE Numbering Authority (GNA) MUST declare and operate under exactly one operational model and one publication visibility model at any given time.

A single GNA identifier MUST NOT represent multiple operational models simultaneously.

Governance Requirements

Public Disclosure Policy

Requirement:

GNA MUST maintain a publicly accessible disclosure policy describing its operational model.

Evaluation Fields:

  • has_public_disclosure_policy (boolean)
  • disclosure_policy_url (string)
  • disclosure_policy_last_updated (date)

The disclosure policy MUST clearly state whether the GNA:

  • Uses Coordinated Vulnerability Disclosure (CVD)
  • Supports embargoes
  • Operates under immediate full disclosure

Contact Point for Coordination

Requirement:

GNA MUST provide a stable contact point.

Evaluation Fields:

  • has_security_contact (boolean)
  • security_contact_type (enum: email, webform, pgp, other)
  • security_contact_pgp_available (boolean)

Organizational Transparency

Recommended:

  • Public operator identification
  • Defined scope of allocation
  • Conflict-of-interest statement (if applicable)

Evaluation Fields:

  • operator_publicly_identified (boolean)
  • scope_defined (boolean)
  • conflict_of_interest_statement (boolean)

Disclosure Process Transparency

BCP-06 does not mandate CVD, but requires disclosure transparency.

Disclosure Model

Evaluation Fields:

  • disclosure_model (enum: cvd, partial_cvd, immediate_full_disclosure, automated_publication, private_publication)
  • supports_embargo_process (boolean)
  • embargo_policy_public (boolean)
  • average_embargo_duration_days (integer or null)

As an example, for Immediate Full Disclosure GNAs:

  • disclosure_model = immediate_full_disclosure
  • supports_embargo_process = false
  • average_embargo_duration_days = 0

Review and Allocation Process

Evaluation Fields:

  • human_review_required (boolean)
  • automated_allocation (boolean)
  • review_sla_days (integer or null)

Minimum Transparency Requirements for Private GNAs

Even if vulnerability content is not public, the following MUST be published:

  • GNA identity
  • Scope of allocation
  • Disclosure model
  • Publication visibility model
  • Synchronization endpoint availability
  • Identifier status (published, reserved, rejected)

Private GNAs MUST NOT obscure the existence of allocated identifiers.

The GCVE ecosystem depends on global identifier uniqueness, even when vulnerability details are restricted.

Allocation Quality Criteria

These metrics evaluate identifier hygiene and reference stability.

Identifier Stability

Requirements:

  • Identifiers MUST NOT be reused. Identifier reuse occurs when a previously assigned GCVE ID is used again for a different vulnerability record after deletion, withdrawal, or revocation.
  • Identifiers MUST NOT be reassigned. Identifier reassignment occurs when an existing GCVE ID is modified to refer to a completely different vulnerability than originally described.

Evaluation Fields:

  • identifier_reuse_detected (boolean)
  • identifier_reassignment_detected (boolean)

Reference Stability

GNAs SHOULD maintain stable references (permalinks, commit hashes, content-addressable URLs).

Evaluation Fields:

  • uses_permalinks (boolean)
  • reference_http_200_ratio (float 0.0–1.0)
  • reference_http_404_ratio (float 0.0–1.0)

These ratios enable automated link integrity scoring.

(TO REVIEW) Data Completeness Metrics

Evaluation Fields:

  • average_description_length (integer)
  • has_cwe_classification (boolean)
  • has_cvss_score (boolean)
  • has_epss_score (boolean)
  • has_vendor_acknowledgement (boolean)
  • average_fields_per_record (integer)

BCP-06 does not require all enrichment fields but requires transparency.

Interoperability Requirements

GNAs MUST publish data in a machine-readable format.

Structured Output

Evaluation Fields:

  • provides_machine_readable_feed (boolean)
  • feed_format (array: json, ndjson, rss, other)
  • schema_version_declared (boolean)

(TO REVIEW) Taxonomy and Standards Usage

Evaluation Fields:

  • uses_cwe (boolean)
  • uses_cvss (boolean)
  • uses_openvex (boolean)
  • uses_ossf_schema (boolean)

GCVE Synchronization Requirements

Participating GNAs MUST support synchronization with the GCVE reference implementation.

Sync Endpoint

Evaluation Fields:

  • provides_sync_endpoint (boolean)
  • sync_endpoint_url (string)
  • sync_protocol_version (string)
  • last_successful_sync (timestamp)

Sync Reliability Metrics

Evaluation Fields:

  • sync_uptime_ratio_30d (float 0.0–1.0)
  • average_sync_latency_seconds (integer)

Conformance JSON Publication

Each GNA MUST provide or authorize publication of a machine-readable conformance JSON document.

The JSON MUST:

  • Be publicly accessible
  • Be licensed under an open data/open source license
  • Be versioned
  • Be updated at least every 90 days
  • Reflect factual operational characteristics

Example GNA Conformance JSON

{
  "gcve_bcp_version": "BCP-06-1.0",
  "gna_id": "65535",
  "last_updated": "2026-02-12",

  "governance": {
    "has_public_disclosure_policy": true,
    "disclosure_policy_url": "https://research.example/disclosure-policy",
    "disclosure_policy_last_updated": "2026-01-01",
    "has_security_contact": true,
    "security_contact_type": "email",
    "security_contact_pgp_available": true,
    "operator_publicly_identified": true,
    "scope_defined": true,
    "conflict_of_interest_statement": false
  },

  "disclosure_process": {
    "disclosure_model": "immediate_full_disclosure",
    "supports_embargo_process": false,
    "embargo_policy_public": false,
    "average_embargo_duration_days": 0,
    "human_review_required": true,
    "automated_allocation": false,
    "review_sla_days": 2
  },

  "allocation_quality": {
    "identifier_reuse_detected": false,
    "identifier_reassignment_detected": false,
    "uses_permalinks": true,
    "reference_http_200_ratio": 0.98,
    "reference_http_404_ratio": 0.01,
    "average_description_length": 850,
    "has_cwe_classification": true,
    "has_cvss_score": true,
    "has_epss_score": false,
    "has_vendor_acknowledgement": false,
    "average_fields_per_record": 14
  },

  "interoperability": {
    "provides_machine_readable_feed": true,
    "feed_format": ["json"],
    "schema_version_declared": true,
    "uses_cwe": true,
    "uses_cvss": true,
    "uses_openvex": false,
    "uses_ossf_schema": false
  },

  "synchronization": {
    "provides_sync_endpoint": true,
    "sync_endpoint_url": "https://research.example/gcve-sync",
    "sync_protocol_version": "1.0",
    "last_successful_sync": "2026-02-11T14:10:00Z",
    "sync_uptime_ratio_30d": 0.997,
    "average_sync_latency_seconds": 2
  },

  "evaluation_metadata": {
    "evaluation_version": "1.0",
    "last_evaluated": "2026-02-12",
    "overall_score": 82
  }
}

Conformance Philosophy

BCP-06 does not judge disclosure ideology.

It evaluates:

  • Stability
  • Transparency
  • Interoperability
  • Operational reliability

A GNA practicing immediate full disclosure can be fully conformant if:

  • Its policy is explicit,
  • Its identifiers are stable,
  • Its data is machine-consumable,
  • Its synchronization is reliable.

Transparency is mandatory. Uniformity is not.

Acknowledgements

BCP-07 Coordinators

  • Cédric Bonhomme, CIRCL
  • Alexandre Dulaunoy, CIRCL

Contributions

The GCVE initiative gratefully acknowledges the substantial contributions from the following individuals via public review:

  • Andras Iklody, MISP Project