CRIT is trying to solve a real gap: package-oriented identifiers like CPE/PURL do not model cloud resources well, because cloud resources are runtime objects with provider-specific identifiers and exposure depends on timing, propagation, and remediation state. The draft is explicit about that, and the repo reflects it with dictionaries, schemas, samples, and a validator.
They also extend the CVE record format with an x_ record just like GCVE. Yes, the ADP needs become like a major importance for the CVE Program.
CRIT records are naturally produced by parties closest to the platform semantics: cloud providers, specialized researchers, managed detection vendors, and vertical ecosystems. The draft even defines “producer” and “consumer” roles and warns that a producer aggregating multiple upstreams must handle natural-key collisions.
GCVE’s GNA model would help here because it gives each producer a stable namespace and publishing authority. That is cleaner than assuming all high-quality CRIT output ultimately needs to be mediated through the CVE pipeline or one ADP publisher. This would allow faster publication.
Potential improvements in CRIT Internet-Draft
Keep vuln_id generic, not effectively “must be CVE”.
Then add:
aliases[]issuerschemeorid_namespace(cve,gcve, maybe others)
The draft already defines “vulnerability identifier” generically, even though the examples are CVEs.
Outcome
- CRIT solves the cloud-resource modeling problem
- GCVE solves the decentralized publication and federation problem