The Global CVE (GCVE) allocation system is a new, decentralized approach to vulnerability identification and numbering, designed to improve flexibility, scalability, and autonomy for participating entities.
While remaining compatible with the traditional CVE system, GCVE introduces GCVE Numbering Authorities (GNAs). GNAs are independent entities that can allocate identifiers without relying on a centralised block distribution system or rigid policy enforcement.
You must log in or register to comment.
How will there be any assurance of standardization in vulnerability analysis with a decentralized system? Will orgs just have to keep lists of which GNAs they consider reliable and which they don’t? I’m skeptical, and their FAQ doesn’t seem to provide any answers.
Isn’t that already the case these days, or am I misunderstanding your comment? I mean, the NVD has been struggling with analysis for many months, and they typically provide their own CVSS 3.1 Base Score in addition to a CVSS Base Score from the CNA that issued the CVE Identifier. This means you can end up with one or two different CVSS Base Scores for the same CVE Identifier. As we know, both CVSS 3.1 and 4.0 have many limitations, including the fact that two security analysts can arrive at different assessments and thus different CVSS Base Scores. What I’m saying is that even now, you have to rely on the accuracy of the vulnerability assessment without question. There have been numerous instances where CVE Identifiers end up being marked as “DISPUTED.”
