Il was wondering if the usage of the verbs which are not security vulnerability means that there should be a property in the gcve to indicate that it’s not a vulnerability but a comment/announcement/… another use case I see for this tag is announcing the end of support for a product for example.
1 Like
Thanks @claudex . This is an excellent point and would also improve the ability to parse GCVE records reliably. Below is a proposal for a record_type field that would serve as a key within each GCVE record. Feel free to comment. @cedric I incorporated the idea concerning the sync of the comment (not sure if the most efficient way).
Proposed update to BCP-05 (following the online workshop of 6th December in Belgium)
The record_type field defines the semantic category of the content submitted by a GNA through the synchronization endpoint. It enables producers and consumers of GCVE data to distinguish between different kinds of records associated with a GCVE identifier (e.g., the primary security advisory, supplemental information, or community-provided additions).
A value MUST be provided for every record. In case of parsing failure, the record_type advisory MUST be assumed.
GNAs SHOULD use the most specific record_type available.
Consumers SHALL ignore unknown types and treat them as opaque extension values to ensure forward compatibility.
Recommended record_type Values
advisory
The authoritative security advisory or vulnerability description produced by the GNA.
Contains core details such as impact, affected products, references, and remediation.
This type MAY include a relationships table.
update
Follow-up information that updates or extends parts of the original advisory which is mentioned in the relationships table. (e.g., additional affected versions, revised severity, new patches).
This type MUST include a relationships table.
analysis
Technical analysis, exploitation insights, detection notes, or other analytical content that complements another advisory. May be authored by the GNA or trusted partners working with the GNA.
This type MUST include a relationships table.
metadata
Structured or machine-generated supplemental information (e.g., tags, product mappings, enrichment fields). Not intended to modify the original advisory text referenced in the relationships table.
This type MUST include a relationships table.
reference
Pointers to external documents, vendor bulletins, technical writeups, repositories, or other relevant resources. Not intended to modify the original advisory text referenced in the relationships table.
This type MUST include a relationships table.
comment
Non-authoritative free-text remarks or annotations. May come from the community or other contributors managed by a GNA.
This type MUST include a relationships table.
statement
Official statements from stakeholders (e.g. an operating system distribution, an open source co-author) or vendors (e.g., “not affected,” “end-of-life,” “mitigation available”).
This type MUST include a relationships table.
remediation
Standalone information on patches, mitigations, workarounds, or configuration guidance when provided separately from the advisory and published by the GNA issuing that GCVE record.
This type MUST include a relationships table.
deprecation
Marks an advisory as superseded, withdrawn, or otherwise deprecated
(e.g., merged into another GCVE ID or determined non-vulnerable).
This type MUST include a relationships table.
detection
Detection guidance such as YARA, Snort, or Sigma rules.
This type MUST include a relationships table.
translation
Non-authoritative translations of an advisory with an additional GCVE language field specifying the language of the GCVE record.
This type MUST include a relationships table.
Sample JSON
"x_gcve": [
{
"vulnId": "GCVE-1-2025-0018",
"record_type": "advisory"
"relationships": [
{
"destId": "CVE-2025-65095",
"type": "equal"
}
]
}
],