This is not a competitor to MITRE’s CVE program, but a complement.
From the outset, that has long been the position of Luxembourg’s CERT, dating back to the announcement of the GCVE project (Global CVE Allocation System). It was in April 2025. We were told that a decentralized architecture would be built: the numbering authorities would be able to assign identifiers and oversee vulnerability disclosure without passing through a central body.
Nine months later, the initiative, co-financed by the European Union, has in fact taken shape… albeit to a limited extent. A database of vulnerabilities has been anchored to it, for instance. Several best practices have also been published to help ensure the system functions properly. And around twenty entities, of diverse kinds, have been designated as numbering authorities.
| Authority | Identifier |
| CIRCL (Luxembourg CERT) | 1 |
| EUVD | 2 |
| Red Hat | 3 |
| Swisscom | 79 |
| VulDB | 100 |
| Ericsson | 101 |
| EAGC | 102 |
| Schutzwerk | 103 |
| AboutCode Europe | 104 |
| OPC Foundation | 105 |
| SK-CERT | 106 |
| Thales PSIRT | 107 |
| Securin | 108 |
| Concinnity Risks | 109 |
| Vulnetix | 110 |
| Mogwai Labs | 111 |
| CERT-QC | 112 |
| VulnCheck | 404 |
| DFN-CERT Services | 680 |
| Austin Hackers Anonymous | 1337 |
| Pentagrid | 2342 |
| Cisco Talos | 31337 |
This diversity mirrors the admission criteria: in theory, any entity with a public vulnerability disclosure policy can apply to become a numbering authority.
Identifier 1 has been reserved for CIRCL, the project’s lead. Identifier 2 is allocated to the EUVD (EU Vulnerability Database), operated by ENISA (European Union Agency for Cybersecurity). Identifier 0 is, for its part, dedicated to the mapping of CVEs.
GCVE, Against Geopolitical Risks
The directory of numbering authorities is published in JSON format. These authorities have two options for communicating vulnerability data. On one hand, a static endpoint that serves a file. On the other, a REST API with the “recent” and “latest” endpoints, potentially accompanied by filters (sources and the number of results). The GCVE project does not impose a fixed format, but recommends aligning with the CVE Record standard.
The published best practices cover verifying the integrity of the directory file, coordinated vulnerability disclosure, and the assignment of identifiers. Three other practices are currently in draft. They address the formats for vulnerability reporting and the decentralized publication protocol.
An open-source tool serves as the reference implementation for these best practices: vulnerability-lookup… which is also credited to CIRCL. It is on this tool that the GCVE base rests*. The EUVD, too.
Not a direct confrontation with MITRE, then, but an openly acknowledged resilience challenge. The aim is to avoid a “single point of failure” and to reduce reliance on geopolitical fluctuations. In the background, the CVE program’s future—once a very uncertain one—has been a concern. Last year, the U.S. government narrowly renewed its financing.
* Base hosted in the data centers of the Luxembourg CERT.
