Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management Workshop at Hack.lu 2025
Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management Workshop at Hack.lu 2025
October 24, 2025
This hands-on workshop at hack.lu 2025 introduced the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed.
Participants discovered how Vulnerability Lookup acts as a collaborative platform for collecting, enriching, and analyzing vulnerability data, supporting every stage of the vulnerability management lifecycle, from discovery and prioritization to tracking remediation and assessing exposure. The session introduced GCVE, a next-generation, decentralized framework for vulnerability identification that empowers organizations to act as GCVE Numbering Authorities (GNAs) with greater autonomy and flexibility.
- How to publish and synchronize vulnerabilities using the GCVE and vulnerability-lookup ReST API.
- How decentralized allocation empowers vendors, researchers, and CSIRTs to disclose vulnerabilities more efficiently.
- How to leverage Vulnerability Lookup to support vulnerability triage, enrichment (EPSS, CVSS, Multi KEV), and exposure tracking.
- How Vulnerability Lookup integrates with GCVE to provide real-time insights, cross-references, and analytics.
- Best practices for integrating GCVE and Vulnerability Lookup into your existing vulnerability management workflows.
This post includes all the materials presented during the workshop.
Slide decks
- Part 1 - https://cra.circl.lu/vl/vl-part-1.pdf - Vulnerability Lookup and VL-AI - Beyond CVEs: Mastering the Landscape with Vulnerability-Lookup from CVE to CVD
- Part 2 - https://cra.circl.lu/vl/gcve-part-2.pdf - GCVE - GCVE: Global CVE Allocation System Enhancing Flexibility, Scalability, Autonomy, and Resilience in Vulnerability Identification
Additional References
- Website and repository of vulnerability-lookup
- vulnerability-lookup instance at CIRCL (GNA-1) - https://vulnerability.circl.lu/
- https://vulnerability.circl.lu/api/ - Vulnerability-Lookup API
- https://www.vulnerability-lookup.org/nis2-directive/ - Vulnerability-Lookup and NIS2 Directive Compliance
- RSS and Vulnerability-Lookup
- Simplified Vulnerability Reporting (aligned with NIS 2 requirements) in Vulnerability-Lookup
- Full dumps of vulnerability-lookup sources at CIRCL https://vulnerability.circl.lu/dumps/
- HuggingFace CIRCL - https://huggingface.co/CIRCL
API Usage of Vulnerability-Lookup
Core API
Usage
- Backward compatible with
cve-search(originally developed in late 2012) - Fully documented, paginated and JSON-Schema validated API
Documentation: https://vulnerability.circl.lu/api/ - The UI and core features of Vulnerability-Lookup are built on top of the API
- Sighting tools and satellite projects leverage the same API
https://www.vulnerability-lookup.org/user-manual/sightings/ - Used by Vulnogram, bundled into Vulnerability-Lookup, to manage security advisories
- Supports synchronization between Vulnerability-Lookup instances (in progress)
- Supports MISP Taxonomy for various objects including comments
https://www.misp-project.org/taxonomies.html#_vulnerability_3 - Used as reference implementation for GCVE-BCP-03
Correlations
Related vulnerabilities
curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
| jq 'keys'[
"containers",
"cveMetadata",
"dataType",
"dataVersion",
"vulnerability-lookup:linked"
]Correlation sources
curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
| jq '.["vulnerability-lookup:linked"] | keys'[
"cnvd",
"fkie_nvd",
"github",
"gsd",
"variot"
]Correlations from GitHub example
curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2015-2051?with_linked=true' \
| jq '.["vulnerability-lookup:linked"]["github"]'[
[
"ghsa-x629-5xff-w7qg",
{
"schema_version": "1.4.0",
"id": "GHSA-x629-5xff-w7qg",
"modified": "2025-10-22T03:30:42Z",
"published": "2022-05-17T03:11:58Z",
"aliases": [
"CVE-2015-2051"
],
"details": "The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2051"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10282"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2051"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/37171"
},
{
"type": "WEB",
"url": "http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/72623"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74870"
}
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-02-23T17:59:00Z"
}
}
]
]Retrieving vulnerability sightings
curl --silent 'https://vulnerability.circl.lu/api/vulnerability/CVE-2024-5261?with_sightings=true' \
| jq '.["vulnerability-lookup:sightings"]'[
{
"uuid": "eec2c8fd-f664-4e73-b3f5-651db5fa4f3f",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "9f56dd64-161d-43a6-b9c3-555944290a09",
"vulnerability": "cve-2024-5261",
"type": "seen",
"source": "https://mastodon.social/users/bagder/statuses/113984646246260950",
"creation_timestamp": "2025-02-11T09:54:37.066650Z"
},
{
"uuid": "6de72384-c623-4e70-bd38-1040c4e29bab",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "9f56dd64-161d-43a6-b9c3-555944290a09",
"vulnerability": "cve-2024-5261",
"type": "seen",
"source": "https://bsky.app/profile/bagder.mastodon.social.ap.brid.gy/post/3lhvfc2enwhl2",
"creation_timestamp": "2025-02-11T10:04:50.326511Z"
},
{
"uuid": "61f4c902-4258-423a-929a-4b473e3d16a0",
"vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd",
"author": "9f56dd64-161d-43a6-b9c3-555944290a09",
"vulnerability": "CVE-2024-5261",
"type": "seen",
"source": "https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/",
"creation_timestamp": "2025-02-11T14:00:07.000000Z"
}
]Pivoting via sightings
curl --silent 'https://vulnerability.circl.lu/api/sighting/?source=https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/' \
| jq '.data[].vulnerability'"GHSA-fq29-72jg-5hrj"
"CVE-2024-32928"
"GHSA-9mgx-552f-59p6"
"CVE-2024-56521"
"GHSA-crg3-fjm2-xvpq"
"CVE-2024-5261"Unpublished advisories
Advisories detected via sightings that are not yet published (or rejected):
curl --silent 'https://vulnerability.circl.lu/api/sighting?date_from=2025-10-20&date_to=2025-10-23&advisory_status=unpublished' | jq . | grep vulnerability "vulnerability": "CVE-2025-54469",
"vulnerability": "GHSA-573g-3567-8phg",
"vulnerability": "CVE-2025-3720",
"vulnerability": "CVE-2025-11702",
"vulnerability": "CVE-2025-12036",
"vulnerability": "CVE-2025-12036",
"vulnerability": "CVE-2025-12036",
"vulnerability": "CVE-2025-12036",
"vulnerability": "CVE-2025-10230",
"vulnerability": "GHSA-8h43-rcqj-wpc6",
"vulnerability": "CVE-2025-10230",
"vulnerability": "CVE-2025-60722",
"vulnerability": "CVE-2025-12654",
"vulnerability": "GHSA-8h43-rcqj-wpc6",
"vulnerability": "CVE-2025-20727",
"vulnerability": "CVE-2025-20726",
"vulnerability": "CVE-2025-20725",
"vulnerability": "CVE-2025-58148",
"vulnerability": "CVE-2025-58147",
"vulnerability": "CVE-2025-58147",
"vulnerability": "CVE-2025-58148",
"vulnerability": "CVE-2025-11002",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CVE-2023-42344",
"vulnerability": "CVE-2025-61431",
"vulnerability": "CVE-2025-52179",
"vulnerability": "CVE-2025-52180",
"vulnerability": "CERTFR-2025-ACT-045",
"vulnerability": "CVE-2025-11002",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CERTFR-2025-ACT-045",
"vulnerability": "CERTFR-2025-ACT-045",
"vulnerability": "CVE-2025-11756",
"vulnerability": "CVE-2025-11002",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CVE-2025-10230",
"vulnerability": "CVE-2025-10230",
"vulnerability": "CVE-2025-10230",
"vulnerability": "cve-2025-11001",
"vulnerability": "CVE-2025-11002",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CVE-2025-11001",
"vulnerability": "CVE-2023-42344",
"vulnerability": "CVE-2023-42344",Example from the output:
https://vulnerability.circl.lu/vuln/CVE-2025-11001#sightings -
“7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability”
Endpoints for Statistics
UI Global statistics - https://vulnerability.circl.lu/stats/
- Dashboard: https://vulnerability.circl.lu
- Most sighted: https://vulnerability.circl.lu/api/stats/vulnerability/most_sighted
- Most commented: https://vulnerability.circl.lu/api/stats/vulnerability/most_commented
Statistics about CWE
curl -X 'GET' 'https://vulnerability.circl.lu/api/stats/cwe/most_used?limit=10&output=json' -H 'accept: application/json'[{"cwe": "CWE-264", "count": 269.0}, {"cwe": "CWE-399", "count": 188.0}, {"cwe": "CWE-788", "count": 140.0}, {"cwe": "CWE-310", "count": 75.0}, {"cwe": "CWE-840", "count": 70.0}, {"cwe": "CWE-16", "count": 61.0}, {"cwe": "CWE-255", "count": 52.0}, {"cwe": "CWE-354", "count": 50.0}, {"cwe": "CWE-275", "count": 48.0}, {"cwe": "CWE-648", "count": 46.0}]Statistics about Vendors
curl -X 'GET' 'https://vulnerability.circl.lu/api/stats/vendors/ranking?limit=5&output=json' -H 'accept: application/json' | jq .[
{
"vendor": "microsoft",
"count": 115466
},
{
"vendor": "linux",
"count": 20307
},
{
"vendor": "red hat",
"count": 19018
},
{
"vendor": "siemens",
"count": 16787
},
{
"vendor": "apple",
"count": 11308
}
]Generate a PDF report from the API
There are many open format such as markdown. Complex output pipelines can be added.
curl -s 'https://vulnerability.circl.lu/api/stats/vulnerability/most_sighted?date_from=2025-01-01&output=markdown' \
| pandoc --from=markdown --to=pdf -o semestrial-report.pdf
xdg-open semestrial-report.pdfVendors ranking
curl --silent 'https://vulnerability.circl.lu/api/stats/vendors/ranking?limit=10&output=json&period=2025-09'[
{
"vendor": "microsoft",
"count": 6155
},
{
"vendor": "linux",
"count": 2110
},
{
"vendor": "red hat",
"count": 791
},
{
"vendor": "amd",
"count": 513
},
{
"vendor": "apple",
"count": 271
},
{
"vendor": "dell",
"count": 252
},
{
"vendor": "vasion",
"count": 220
},
{
"vendor": "google",
"count": 194
},
{
"vendor": "mitsubishi electric corporation",
"count": 177
},
{
"vendor": "liferay",
"count": 137
}
]Feedback and Support
If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!