After a discussion with Eireann Leverett in a chat room about fingerprinting, he asked how LLM software and tools should be classified by default. Is there an appropriate CPE vendor/product classification for them?
The key question is what exactly is being identified.
If the vulnerability affects an LLM service, the scope appears to be already covered by existing CPE entries:
However, consider a model produced by OpenAI, such as:
If the vulnerability is within the model itself, I would assume a CPE such as openai:gpt-oss could be appropriate. Could the same CPE also be used for other use cases, such as AI-assisted materials produced with that model? I believe it could.
This raises a governance question: if the vendor is not willing to assign a CPE, should CPE.GCVE.EU create one? Alternatively, should we assign a dedicated vendor namespace for such cases?