CVE needs no introduction. You’ve been using it daily for years: when you patch, when you review advisories, when you plug an identifier into your tool of choice. It’s the standard everyone takes for granted. The problem is that “everyone” has spent decades relying on infrastructure managed by MITRE, an American organisation funded by the US government. And if that funding tap closes or gets cut, the global vulnerability ecosystem is left lame in an instant.
This isn’t a theoretical threat. In recent years there have been more than a few scares around MITRE’s budget, and that has made a lot of people nervous. Rightly so.
Europe’s response to all of this is called GCVE (Global CVE Allocation System) and lives at gcve.eu. It’s not a paper or a working group: it’s been operational since April 2025 and already has over 20 organisations on board, including Red Hat, Siemens, Cisco, and ENISA’s own European vulnerability database.
What changes compared to the traditional CVE?
The main difference is architectural. The classic CVE is centralised: MITRE decides who can issue identifiers, assigns blocks, and controls the process. If there’s a problem at the top, the bottleneck is felt everywhere.
GCVE is decentralised. Each issuing organisation manages its own identifiers autonomously, without waiting for anyone to assign blocks or give permission. The format is very similar to CVE but includes a prefix that identifies who issued it:
GCVE-[issuer]-[year]-[unique identifier]
For example, GCVE-0-2023-40224 is CVE-2023-40224 mapped to the new system (the prefix 0 is reserved for existing CVEs, so backwards compatibility is guaranteed). And any tool that already works with CVE can automatically generate its GCVE equivalent. Nothing needs to be thrown away or rebuilt.
Who’s behind it?
The project is run by the Luxembourg Computer Security Incident Response Team (CIRCL), which also maintains the vulnerability management software that powers the system. Among the organisations already on board are Red Hat, Siemens, Cisco Talos — with organisation number 31337, a nod to those who catch it — ENISA’s European vulnerability database, and VulDB. These aren’t unknowns: they’re the ones publishing most of the advisories you probably already have in your feeds.
Why now?
Two reasons. The first we’ve already mentioned: the instability of MITRE’s funding has made it clear that depending on a single infrastructure controlled by a single government is a risk that makes little sense to accept in 2025. The second is more fundamental: Europe has been trying for a while not to depend on critical digital infrastructures it doesn’t control. We’ve seen it with cloud, with public administration software, with chips. Vulnerability management was another open flank, and with GCVE they’re plugging it in a rather elegant way: without breaking anything, maintaining compatibility, and betting on decentralisation rather than building another centralised silo but with a European flag.
How do you become an issuing organisation?
If your organisation is already recognised as an issuer in the CVE programme, you can switch to GCVE directly. If not, certified European or international incident response teams can also apply, as can software and hardware vendors with a public vulnerability disclosure policy. The process is straightforward: send an email to gna@gcve.eu with your organisation’s details. The registry of all issuing organisations is public at gcve.eu.
Do I need to do anything now?
Probably not urgently. CVE is still working and will continue to do so for a long time. But if you manage vulnerabilities, use tools that consume CVE data, or simply want to know where the European cybersecurity ecosystem is heading, it’s worth keeping an eye on this while the project is getting off the ground. The technical approach is solid, backwards compatibility is resolved, and the institutional backing is real. For once that Europe does something in this space without waiting ten years, it looks like they’ve thought it through.
Official website: gcve.eu
Join the Sinologic community
Create your free account and join the conversations about VoIP, Asterisk, Kamailio and IP telephony.
Leave your mark
Every point of view enriches the article.