In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, Open Source Security is talking to Alex and Cedric from CIRCL which is the Luxembourg cert, and you run the GCVE program. So I am ecstatic to have the two of you here. So I’ll let you kind of introduce yourselves and then we’ll go from there.

because this is, holy cow, do I have questions.

Cedric and Alex (00:16) Yeah.

So I’m Alex and I’m the head and security researcher at CIRCL. CIRCL is the national state-of-the-art in Luxembourg, so we are dealing with incident response and so on. But next to that, we do a lot of other things, so including software engineering and many open source projects, or maybe some of you know MISP, which is a trade intelligence sharing platform. But next to that, we do another software called Vulnerability-Lookup which is doing vulnerability management, ⁓ and it’s a completely open source project. And to support that project,

started an initiative called GCVE and I think that’s why we are here today to discuss about this topic.

Josh Bressers (00:54) And Cedric, I’ll let you give yourself an intro.

Cedric and Alex (00:55) Hey, hello.

My name is Cedric and I’m leading the developments on the Vulnerability-Lookup projects and various other tools and activities at CIRCL since a couple of years.

Josh Bressers (01:07) Awesome, awesome. Okay, so yes, Alex is right. GCVE is the thing that definitely grabbed my attention, but the Vulnerability-Lookup tool is very, very cool. And maybe I’ll have you just come back and talk about that someday, because it is, I like it, it’s good. But GCVE, okay? So why don’t you just tell us what GCVE is? Let’s start there.

Cedric and Alex (01:26) Yeah, so it’s pretty straightforward and not that complex, but you know, in computing, there is something very difficult. It’s naming things and putting numbers on things. And that’s exactly what GCVE is. It’s actually giving a prefix numbers for authority that are assigning and creating vulnerabilities and distributing them. So GCVE project is basically that.

Then behind the scene, are much more, indeed. ⁓ But the first and key goal of GCVE is assigning numbers. So you have to see it as a kind of IANA for vulnerabilities authorities that are basically publishing vulnerability.

Josh Bressers (02:10) That is such an oversimplified answer. All right, Alex, I’m gonna hold your feet to the fire on this one a little bit, I think. you mentioned assigning names to vulnerabilities. And I think the most, I guess, understood parallel here is like the CVE program in the United States. So the first question anyone’s probably gonna have is like, GCVE and like CVE, are they different? Why are they different? Why are they different?

Cedric and Alex (02:40) Okay.

First of all, we are not competing with any programs. ⁓ Why we came with GCVE, the reason behind, was the fact that we have seen that a lot of ideas are assigned for vulnerability. And Cédric might talk about it, but in Vulnerability-Lookup, ⁓ we basically ⁓ ingest around 25 sources, or even more nowadays, from CSAF sources and so on. And plenty of sources have their own ID. ⁓ GitHub security advisories. ⁓

like CVE programs, they have all their own IDs and so on. And that’s totally fine. But the thing that we discovered when we were writing the software, we wanted to have an ability for others that basically cannot easily assign IDs to publish their own vulnerabilities. And that’s where the idea from GCVE came. GCVE is actually just giving prefix ID to authority.

to allow them to publish their vulnerabilities. That’s basically it. The thing is we don’t compete with the other program because it’s usually the GCVE IDs and the prefix as a prefix for all the existing programs. So that means GitHub security advisories, CVE programs have a prefix. So for example, GCVE-O is actually the CVE ID behind. So it’s basically just compatible and backward compatible with existing programs.

But we wanted to create a system that for the one that cannot be covered by existing program could assign on their own IDs. That’s basically ⁓ the system behind.

Josh Bressers (04:17) Okay, I’m gonna, Cedric, I’m gonna pick on you for a minute here, because so you’re ingesting all this data, and I just want, go off on a tangent for a moment, because you know the pain of vulnerability data and how atrociously bad it is.

Cedric and Alex (04:21) Yes.

Yes.

So as Alex said, are ingesting a lot of data with Vulnerability-Lookup We have already like 20, 25 sources. And it’s a total of one million vulnerabilities with different sources and as well different technology to get the sources. So we are using Git or HTTP APIs. And it’s very, very, very diverse sources. So by nature, Vulnerability-Lookup is already able to ingest that.

Now with GCVE, the goal is to enable the distribution of vulnerabilities. So if you install your own Vulnerability-Lookup, for example, as a company and you are a GNA, with our instance, it’s possible to get the advisories that you will publish to subscribe to the feed. So any feed, if you are GNA, we can ingest it in Vulnerability-Lookup by using the default API that we have designed.

Josh Bressers (05:33) So you just said the word GNA. What is a GNA?

Cedric and Alex (05:37) It’s a numbering authority.

Yeah, so it’s basically numbering authority. for example, Josh, you could be a GNA. So if you are writing software, you are a security researcher, you are part of the existing CNA programs, or you are a CSIRT you can become a GNA. So that means you can basically on your own decide to publish vulnerability. And that’s exactly that we want to cover. What we have seen is a lot of organizations publish vulnerabilities or have difficulties to publish those vulnerabilities.

Cedric was mentioning, in Vulnerability-Lookup, we not only do lookup, the name is basically just lookup, but it’s additionally to that, we are able to publish data. So that means if you run your own instance, Josh being a GNA, can start to publish their own vulnerabilities. And which is, think, quite nice because it’s becoming and giving some, I would say, freedom for security researcher.

open source developers and so on. The only conditions to basically get a GNA ID is to have a vulnerability disclosure policy or to be an existing CNA. So it’s all logical. So that means basically if you have a vulnerability disclosure process and you publish vulnerabilities, then you can become GNA. So it’s really, really straightforward. And the software that we build that is adjusting vulnerabilities from different sources is able to ingest

data from other GNA to basically combine this with all the vulnerabilities that we have. And you mentioned something very important is the format. A lot of vulnerability sources have, I would say, of broken format. ⁓ So we try to support that. ⁓ In the GCVE program, we even give some best practices, which format to use. ⁓ But we expect that some sources might be, even if they provide in a specific format. For example, if you look at the SISA format, which is standardized,

to Oasis, which is pretty good. But sometimes some of the advisory doesn’t pass the compliance level to just be parsable. ⁓ So that’s one of the common problem. So we don’t want to solve the format problems. They are already in a format. So the idea behind the GNA and the publication systems is to just get the data from an HTTP endpoint and that endpoint is using the CVE format.

In the future, someone wants to use a VEX format, a metadata things like that, they can do it. So we just need to take care of the transport format.

Josh Bressers (08:15) Okay, okay. So there’s a lot to unwind, I think, in this answer, because there’s, we’ll not go into data format complaining today. We’ll save that for another day. But yes, I know we could probably rant for hours and hours about the terrible data formats. But so I hear all this, you’re talking about aggregating data, you’re talking about people publishing their own data. This feels like the dream

Cedric and Alex (08:26) Exactly.

Josh Bressers (08:45) CVE has been talking about for decades, but you have done in a relatively short amount of time. And you don’t have to agree with me, but that’s what it feels like when you say this.

Cedric and Alex (08:55) Yeah,

so I think I’m quite involved into vulnerability disclosures as a CERT we basically assignment of CVE ID on a regular basis and so on. Even as software engineers, we publish vulnerabilities for MISP if you look at MISP we have plenty of CVE ⁓ and I think that’s part of the game when you do software engineering, you end up with vulnerabilities. That’s part of the game. The thing is what we have seen over the time is ⁓

There are different models. For the CVE program, I think that’s what they want, and I think it makes a lot of sense, ⁓ is to have I would say, hierarchical publication system. So that means they actually want to control what the CNA publishing to ensure the quality of the vulnerabilities disclosure. And I think I’m totally fine, and I think I’m a big supporter of that. As a CERT I like to have good quality of vulnerability description and so on.

And then you have discussion about, for example, conflict of vulnerabilities. So you might have two CNA publishing and then you have to resolve conflict and so on. That’s part of the CVE program. That’s why sometimes it’s complex to publish things. I think from the GCVE one, I think I have my two heads there. I’m an open source developer and for me, Git makes a lot of sense. mean, having two people maintaining two repositories, even from the same code base, doing forking, doing their own version and so on.

Make a lot of sense. If at some point in time we agree, we merge from the Git repository and that makes sense. I think for GCVE is exactly the same. We don’t mind to have two GNA publishing about the same vulnerability. Now the question is why it’s a problem to have multiple publishing? I think it’s not. That’s my point of view on this. The reason is the following. If I have a vendor publishing about a vulnerability disclosure, maybe they receive information from a security researcher. The vulnerability itself is super interesting.

they fix the vulnerabilities, but they don’t agree completely with the research from the security researcher. So they will publish their own advisory, which makes sense. They are the producer, they produce the… On the other hand, the security researcher might have a different point of view. And then you want to publish a security advisory too. And that’s where I don’t agree on the fact that it’s an issue. I think it’s an advantage. And I will explain why. As a CERT or a user of a software, I have the two point of view and I can’t take a decision. I can’t say…

from this software vendors, I got these vulnerabilities, but the security researcher told me, by the way, this vulnerability might lead to this and this impact. That the vendors try to hide or do not agree. But that’s totally fine there. But you, as a user consuming this information, you see where it’s coming back with Vulnerability-Lookup, we want to see all the point of view. If you look at CVEID right now, we have plenty different one. For example, for CSAF sources, you can see that, for example, the CSAF from Cisco,

might contain much more information than the actual CVE being published. And that’s exactly what we basically not duplicate, but at least extend with GCVE in Vulnerability-Lookup is to add more metadata. Even our goal we were discussing that maybe some will not publish vulnerability per se, but will publish meta information about vulnerabilities. Like for example, Josh would say, hey, by the way, I apply this patch, it doesn’t work. So the vulnerability is not fixed. The patch doesn’t work.

The vendor doesn’t say it, but Josh, as a security researcher, is publishing the information under CNA And then the other can say, Josh is a good security researcher, maybe we should take into account his point of view. So that’s really more the models of GCVE

Josh Bressers (12:30) Holy cow, that’s a very good, I have never heard anyone explain some of the problems I think we see today in the CVE program with trying to like shovel one ID across the board for some of these problems than that. And you’ve uncovered many things I think I realized but never really thought about. And so let me, I will explain part of the problem and you can correct me as I go because I’m sure I’ll make mistakes. But we’ll use Log4Shell as our example. Where Log4Shell comes out,

There is one CVE ID that has literally thousands of references and it affects every vendor differently. And it’s just, it’s utter chaos, right? Like if you look at that CVE, in fact, we have special code in our product for that CVE just cause it’s such a mess. Like you can’t deal with it, right? And so you’re saying instead of having one ID with 4,000 references, you have 4,000 IDs.

that each basically have one reference and then there’s obviously some sort of linking them all together, I assume.

Cedric and Alex (13:30) Exactly.

You got it. It’s exactly that. And Log4j is a very good example. where it could happen? It could happen the software engineers that basically fix vulnerabilities could describe a commit message where you did the fix and where you did the fix. Then you might have a security researcher. And if you remember for Log4j, we had like two or three CVE popping up because the fix was not completely complete or correct. And then later on, other CVE pop up.

So, for example, if a developer considered that this vulnerability is actually part of the same thing, they could say, okay, it’s the same ID. On the other hand, maybe Red Hat is operating different kind of JVMs using the libraries, they might have different one. And then, as long as I think the services like Vulnerability-Lookup, which is an open source software, can gather all the information, then the one running Java

So I have JBoss running, as my JBoss using log4j. Yes, maybe. I’m running this on an operating system that might use log4j for, I don’t know, syslog, whatever things and so on. And then I have different layers. And then you see that you have different sources and it makes a lot of sense. I see, for example, I’m really interested in VEX because VEX is really doing metadata on CVE And you see it’s exactly that with Red Hat. Red Hat publishes VEX data sources with additional information about

the software they package. And I think it makes sense. And still thinking that a single centralized organization will be able to handle all the use cases and so on. me, it’s a utopia. I know I discussion with people from CISA recently and so on and hi to Tom here. So I think we don’t agree on that aspect, but that’s totally fine.

But I mean, it’s complementary. You need to have meta information about vulnerabilities. It’s changing, it’s not fixed. The publication process is evolving. For me, we need to transition from CVS, SVN to Git. And that’s what we are maybe in this transition for vulnerabilities, to have a distributed system for publication and so on. I have seen some initiatives right now when they were afraid about the CVE programs.

having issues and so on and they were like going into this blockchain models and so on. To be honest, I’m not a big fan of blockchain technologies and so on. So I don’t think it’s really a way to go. But for us was really a very simple, for example, Cedric, correct me if I’m wrong, but how long did you take for doing the implementation of the distributed publication? was quite very, very fast. So we as I said, we already have all the things in the backend implemented. It’s relying on the API of Vulnerability-Lookup. So it took like

or a couple of days, mean, ⁓ because we have as well the distribution of the registry. The registry is distributed. If you install a lookup instance, you don’t only have the adversaries from other sources. You have as well the central registry, which is cached in your Vulnerability-Lookup instance. So you don’t have to make a request. Yeah, true. And GCVE is just actually publishing a directory.

and with entries of each GNA and that’s basically it. And core functionalities like correlations of security advisories were already in Vulnerability-Lookup since the beginning of the project is like that in the database. So we have correlations and maybe we forgot to mention that we have bundles. If you have a lot of security advisories, we can create a bundle, a set of advisories with different sources as well, different kinds of IDs.

Yes, so that means what we want it in the open source and I think that’s the thing that we want to see it’s other open source project actually implementing the standard which is very straightforward and with multiple implementations People producing more data or more metadata. I’m sure that maybe some of your listener are Open source developer or users and they could contribute some inputs there. That’s I think what we want to capture ⁓

Josh Bressers (17:39) Okay, so

let me ask you about that. so Cedric, you just talked about ingesting all this data. Do you have the ability to modify data inside of the tool, or is that as strictly you are only aggregating and mirroring?

Cedric and Alex (17:51) ⁓

No, we don’t modify, we just get the data for the remote source and if you want to edit it automatically, we call it a fork. So it will be forked in your local source because it makes no sense to edit an advisory that you get from the CVE program. Anyway, it will be overwritten in the next round.

Which is, I think this question is super, super important. And I think it’s the thing that we need to talk about. The thing is, in Vulnerability-Lookup instance, you can indeed fork data. And the thing when you fork the data, you fork under your own ID. And the ID is basically the GNA ID. So if you want to extend an existing CVE or a CSAF or even recently we introduced CNVD. So if you want to update the Chinese vulnerabilities,

the National Vulnerability Database from the Chinese CERT you can edit it and you can publish on your own. So it’s becoming actually a fork of the data with additional information. So if you want quickly to fix that. And for me, think the idea behind is to really push collaborations because right now, what do you do to modify a CVE? So I’m an external person and I want to edit it. How can I do that?

You see that for me, applying the open source model to vulnerability make a lot of sense. ⁓ But I know maybe from the CVE program perspective, it’s a different model. ⁓ And I think it’s complementary. Both will exist. And you need to have additional information, metadata for all the vulnerabilities.

Josh Bressers (19:24) Yes.

I agree with everything you just said in ways you cannot imagine. I have tried updating CVE records and NVD records more times than I can count. And I would say more than 50 % of the time, it has basically ended with me rage quitting because it is such a frustrating and horrible process versus you talking about like, you know, the open source model. GitHub has a vulnerability database.

Cedric and Alex (19:42) Okay.

Josh Bressers (20:05) that is a literal GitHub repository and they accept pull requests to it. And I have never had an update to them take more than 24 hours to be accepted or they’ll tell me no. And they’ll explain why they disagree with me. And then I get sad cause whatever, but the fact that I get a response is enormous progress. So this is

Cedric and Alex (20:22) Yeah, but that’s already

great. mean, and to be honest, I head up to GitHub because the GitHub repository of vulnerabilities and so on is very good. So if users of, I would say, open source tools and so on from this audience today want to have a look, we have a running instance on the internet called vulnerability.circle.lu. Maybe you’ll share the links later on. But I think if you want to see all the kind of relationship between CVE IDs,

Josh Bressers (20:31) Yes.

Cedric and Alex (20:52) because there is a lot of relationship. Indeed, CVE IDs are great to add the correlations. But if you look, for example, at the CNVD database, think it was like 30%, I have no CVE ID

So that means, and that’s something that we are even looking into more, it’s to have more ⁓ matrix table of all those ideas together. So for example, we are working with the EUVD database right now to basically have the mapping of the EUVD in Vulnerability-Lookup. So that’s straightforward. But it will be needed and it’s already needed for CSAF If you look at all the CSAF sources, have their own IDs I Cisco has their own IDs Siemens has their own IDs and that’s totally fine. But you need to have like mapping IDs But we have some ideas.

on descriptions and so on. In Vulnerability-Lookup we have some stuff with AI called VLAI about severities but we have some idea of basically creating correlations automatically through similarities of text but that’s outgoing work on the software.

Josh Bressers (21:54) Sure, Holy cow. This is really cool. And I want to also just kind of explain. So you mentioned if I want to modify the data and in your universe, it creates what you call a fork versus in the CVE universe. I mean, I can explain kind of what this looks like today where there is inside of CVE records, have the ADP, the authorized data provider, I think it’s called. And the idea being, and this was the dream. There’s the dream versus reality.

Cedric and Alex (22:15) ADB. Yes.

Josh Bressers (22:23) where the dream was anyone could kind of be an ADP and then like if, if Anchore for example, the company I work for wants to submit some different information because we have our own set of data. It’s in GitHub and it’s public, but like we have our own set of data where we modify certain CVE records when a customer contacts us and it’s like, Hey, there’s a mistake in this. We just fix it because, if it’s, if it’s GitHub, for example, we’ll go upstream to GitHub first, but if it’s a CVE record, we’ve just given up or like, whatever, we’ll just keep our own copy and we’ll change it. But now we have functionally have a fork.

of CVE, right? And we have no good way to explain this is a change we made, but in your universe, you’ve solved that problem where if someone makes a change, they just get a completely different ID and it has all of their different information. And I mean, heck, we had this, I worked at Red Hat for a decade. We had this problem all the time. I mean, the reason Red Hat publishes their own CVSS severity scores is because the NVD scores were so bad.

and the customers would contact us and we’re like, we just have to do this, you know, but now we have two databases, right? And you aggregate them.

Cedric and Alex (23:26) Totally true.

And there’s one topic, but I think this one would be a complete topic by its own. It’s the CPE value, so the common platform enumeration. That’s another thing that needs to be in some way fixed. It’s a tough one, ⁓ but at least we have product, vendor IDs, and so on in line. In Vulnerability-Lookup, we try, for example, to map an organization’s

Josh Bressers (23:43) ⁓ yes.

Cedric and Alex (23:54) to multiple organizations or a classical problem is acquisition of companies. So if you have Sun Microsystems that has been acquired up to Oracle, you still need to have the historical data. And if I want to search for the old GVM from Sun, it’s still applicable. Another thing that we try to solve in Vulnerability-Lookup but we still have, I think, a lot of work there. ⁓ But I think the ID allocation problems

It’s not, I would say, easy to solve, but that’s something that we try to solve. What we did as an initiative for GCVE is not coming from nowhere. It’s actually coming from all the past history.

thing is for the CPE part, which is an interesting topic about common platform enumerations is this problem is not solved, but the same with organizations. So, multiple organizations creating different vulnerabilities, they change names, they get acquired. There is duplication of names and stuff like that. It’s another problem to solve. So, if you want to search and you look at CPE if you search for Microsoft,

Microsoft has like six or seven different entries as vendor. At least, yeah. Maybe even more. So that’s something that is, think, and an inherent problem. And I think we have to tackle that diversity not by creating new standards, I think. We have to tackle that problem by creating open source software that will be able to basically process the data and start to combine it and produce data set and corpus that we can import afterwards. That’s really the model.

Josh Bressers (25:10) Yes.

Okay, so I’ll ask Cedric then. So do you support PURLs Cause I had Philippe Ombredon on the show a couple episodes ago, just to talk about PURL which CPE versus PURL feels like, my goodness, like there’s no comparison even.

Cedric and Alex (25:43) ⁓

Yes.

Yes. But we plan to support it as well. So it’s already in somehow in the platform. Yes, it’s possible. What we did actually is we have the notion of organization now. Organizations are containers for vendors. So we have a set of vendors linked to an organization. And for each organization, can have products. And products can be linked to CPE or PURL.

Josh Bressers (25:56) Okay, cool, cool.

Okay, okay, that makes sense. That feels like the right thing to do. This is, mean…

Cedric and Alex (26:20) Yeah, I think it’s

might be one of the partial solution, I would say, for just thought about it. Yes, for CPE for example. So there are plenty of work. And what what Philippe is doing there is great. I think it’s it’s really going in the right directions. But I think it’s really focusing on packaging. And we as a CCERT we have plenty of software that have basically no reference. Even the product name is super confusing. You have white labeling.

Josh Bressers (26:30) Yeah, yeah. Well.

Yes.

Cedric and Alex (26:49) ⁓ Just look at classical things like a component for cars and things like that. Sometimes it’s basically under a different label or different names, vendor names. And it’s very difficult to track all of them because sometimes it’s just a product name which is linked to a specific manufacturer names. So the problem I think is just at the beginning of the issue that we have there.

Josh Bressers (27:11) Yes.

What’s the old joke? The two hardest problems in computer science are what? Cache invalidation and naming things. What? Naming things and off by one errors, right? Like I get it. I get it. It’s yeah. Yeah. There’s, it’s always funny because you know, we have, Anchore has Syft and Grype and Grype obviously Syft generates identifiers that Grype then uses for doing lookups and

Cedric and Alex (27:18) Cache invalidations and yes.

Josh Bressers (27:36) It always feels like we just go in these circles where like, we should use pearls for everything. wait, but pearls don’t do this thing. It’s like, crap. Well, how do we solve that then? let’s do this thing. It’s like, no, we’re starting to invent a new way to do this. Like stop doing that.

Cedric and Alex (27:48) But there’s something interesting about versioning and product name and vendor names. A lot of people say, yeah, but you know, you need to verify these specific versions. I say, don’t look at versions. Look at already product and vendor names. It’s already very difficult. Look at the current situation with SharePoint.

One of my colleagues did a nmap and a script to scan for proper versions. There is no easy way to do it. For example, he’s doing it with GitLab and he’s looking at JavaScript files and versions to basically get and guess the versions. So even vendors are not able to provide the version number. what can you use security tools to find out the right vulnerabilities if even the source, the original software is not able to give you the proper versions and stuff like that.

Josh Bressers (28:07) my goodness.

my goodness.

Cedric and Alex (28:35) Yes, and sometimes you have versions that are linked directly to the name of the product or in the version field. it’s You have service packs on some Microsoft products within the product names and so on, which is like,

Josh Bressers (28:38) What?

it’s funny because it’s true. Okay, let’s land this plane. So I feel like we’ve been talking, we’ve kind of had a random mishmash of topics, which is fine because this is a weird thing to do. So I would say we have a vague idea what GCVE is. And I’ve learned a whole bunch of new things that I didn’t even realize before. But for anyone listening who’s kind of interested in this, what is…

What would you recommend? Like what are good ways to maybe get involved? I mean, this is all open source, which is amazing as well, which I love, but like how, how can we use it? How can we contribute to it? How can we like, like what, what are the next steps?

Cedric and Alex (29:33) So there are multiple ways. So the first is just check out the website, gcve.eu which include all the details about the process and so on. If you want to become GNA, you basically have a paragraph how to do it and send an email and you get GNA, it’s super easy. Now, if you want to go a bit further, like operating your own instance of Vulnerability-Lookup for collecting vulnerabilities, and maybe in the future to publish it, you have to go to vulnerability-lookup.org, which is the website of the

Josh Bressers (29:49) That’s awesome.

Cedric and Alex (30:03) project. And if you are curious about how Vulnerability-Lookup works and you want to see one life and you don’t have time to install the open source versions, you just want to run and to use the services. We run one for free. Call vulnerability.circl circle like a circle without the E at the dot lu So vulnerability.circl.lu And that on this one you can basically register and you can even use a platform, see all the vulnerabilities in different sources. API is completely accessible. We don’t have anything to sell. are a CERT

So why we do that, we want that people use it to basically secure the infrastructure. So that’s our goals. If they do it in Luxembourg, that’s great. If they do it abroad, it’s even better. So that’s really the idea behind.

Josh Bressers (30:46) And I have one last question then before we go. So there is also the European Union vulnerability database that’s very new. What does that relationship look like between like GCVE and the EUVD?

Cedric and Alex (30:58) So we have a strong relationship. ⁓ So the EUVD is part of the NIS directive, so it’s the European directive about information security. And the network behind, so it’s a set of network of this year, we are part of that network. And we even provide Vulnerability-Lookup as a backend software for EUVD. So if you go on the EUVD website, you’ll see that Vulnerability-Lookup is actually one of the sources for them for the backend system. So EUVD ⁓ actually, it’s, ENISA is running it,

That’s great. It’s really basically to ensure that at European Union, we are able to basically have a

a CNA at European level. If one of the CSAF want to basically get the CVE ID they can just like go through in either and so on. are in the process to basically become a root level of CNA. ⁓ So that’s make a lot of sense. And in the future, so that’s something that we’re working with them. So we work closely with them. It’s to ensure that the EUVD IDs are part of Vulnerability-Lookup and distributed and we have the correlation. So ⁓ we are huge fan and we work with them too. So if you run vulnerability

look up you will be able to basically get the data from EUVD That’s pretty cool.

Josh Bressers (32:11) I love it. I love it. All right, Alex and Cedric, I wanna thank you both. This has been an amazing conversation. I have learned so much more than I expected. So amazing and thank you.

Cedric and Alex (32:22) Thank you very much.