BCP-04 Draft Preparation - Work-group session 25/08/2025 - Luxembourg

Following discussions in a standard work-group with the GCVE board regarding the recommended size of GCVE identifiers, it was agreed that no strict size limit will be enforced (similar to the flexibility of URIs). However, a recommendation is provided.

The recommendation is to use identifiers of up to 128 bytes including the prefix.

Another discussion point in the work-group concerned the use of non–7-bit character sets. Some GNAs expressed interest in supporting UTF-8 characters in identifiers. While this would improve flexibility, it could also introduce significant overhead in software implementations that process GCVE identifiers.

To capture these decisions, two sections will be added in BCP-04:

• ID Format (including size considerations)
• Encoding (supported character sets and constraints)

Based on input from @ClausHoumann, GCVE identifiers are not limited to describing a newly disclosed vulnerability. They may also:

• extend the description of an existing vulnerability (e.g., with additional metadata),
• serve as a reference to a patch, or
• establish a parent/child relationship with another vulnerability.

The design of GCVE explicitly allows multiple identifiers for the same vulnerability to provide complementary information or alternative perspectives (e.g., in cases of vendor refusal or disagreement). There is no single authoritative identifier for a given vulnerability. Instead, GNAs may provide different viewpoints on similar vulnerabilities.

The model also allows a GNA to reference another GCVE identifier issued by a different GNA, covering scenarios such as parallel or independent vulnerability discoveries.