2026-02-15 Journal

Source: discourse.ossbase.org
Time: 16:07:44
Summary: It’s a pretty good document for the procurement aspect which is often neglected. I’m curious if we could generate a machine parseable output of all the controls points. Do you know the license of the document? and if we can freely reuse/redistribute the content? It’s clearly outside the KEV BCP-07 but it could be useful as reference point for the…

Source: discourse.ossbase.org
Time: 14:41:06
Summary: Indeed. At least for the contractual requirement, the KEV format (BCP-07) can be used to inform customers (even if the KEV is not disclosed outside the customer-vendor relationship). I suppose some extension in the KEV assertion can be indeed added. By the way, I did a quick mapping of CRA obligations and how GCVE can support it at the following…

Source: discourse.ossbase.org
Time: 14:07:42
Summary: https://discourse.ossbase.org#p-1321-vendor-as-a-gcve-gna-and-decentralized-vulnerability-publication-workflow-1Vendor as a GCVE GNA and decentralized vulnerability publication workflow https://discourse.ossbase.org#p-1321-what-it-means-for-a-vendor-to-become-a-gna-in-the-gcve-model-2What it means for a vendor to become a GNA in the GCVE model Across GCVE BCPs, a GNA is treated as a publisher of vulnerability information and related metadata with decentralized operational control: - The directory is a trust anchor: “**The directory file contains authoritative metadata about GCVE Numbering…

Source: discourse.ossbase.org
Time: 13:25:20
Summary: New version has been published including requirements from an organisation willing to be a GNA without publishing the vulnerability outside their circles. A new publishing model has been added to cover that use-case. gcve.eu GCVE-BCP-06 - Requirements and Evaluation Criteria for GCVE Numbering… GCVE-BCP-06 - Requirements and Evaluation Criteria for GCVE Numbering Authorities (GNAs) Version: 1.0 Status: Draft (for…