Summary: This 2-day, in-person hackathon, held in Luxembourg on April 14–15, 2026 (09:00–17:00), combines a hands-on open-source hackathon with an integrated public conference morning on April 14 (09:00–12:00). The event focuses on the development of free and open-source software for cybersecurity and related domains. GCVE.eu will be there, so if you want to work on all the cool stuff around vulnerability…
Summary: adulau: The severity field reflects the severity inferred from the exploitation assertion itself, not an abstract or vendor-defined vulnerability score. For example, a honeypot observation resulting in full system compromise would justify a high severity value. This distinction may benefit from clearer wording in the BCP document. I updated the BCP-07 draft based on the question and feedback provided.…
Summary: Thanks a lot for taking the time to read the BCP and provide feedback. - Yes, the summary is correct. KEV is a standalone record type. - Yes, and additionally, there are cases where an identifier has already been assigned but is not yet publicly disclosed (e.g., embargoed vulnerabilities). - vulnerability.vulnId represents the primary identifier, while vulnerability.altId contains synonymous identifiers…
Summary: Thanks for the question as this will most probably update the BCP-07 with the actual background of the format. KEV and CVE (or GCVE) represent different layers in the model, and that distinction is intentional. A vulnerability identifier (CVE/GCVE) is primarily about establishing the identity of a vulnerability something that the ecosystem can refer to consistently over time. KEV, on…
adulau: The