{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://gcve.eu/schemas/bcp-07-kev-assertion.schema.json", "title": "GCVE-BCP-07 Known Exploited Vulnerability (KEV) Assertion", "type": "object", "additionalProperties": false, "required": [ "vulnerability", "status" ], "properties": { "vulnerability": { "type": "object", "additionalProperties": false, "required": [ "vulnId" ], "properties": { "vulnId": { "type": "string", "description": "GCVE, CVE, GHSA or any identifier of the vulnerability." }, "altId": { "type": "array", "description": "Alternative identifiers that refer to the same vulnerability, used in addition to vulnerability.vulnId.", "items": { "type": "string" } } } }, "gcve": { "$ref": "#/$defs/gcveRoot", "description": "Structured object describing GCVE origin metadata for the KEV assertion." }, "uuid": { "type": "string", "format": "uuid", "description": "Globally unique identifier (UUID v4) assigned to the KEV assertion record." }, "status": { "type": "object", "additionalProperties": false, "properties": { "exploited": { "type": "boolean", "description": "Indicates whether exploitation has been observed or asserted." }, "status_reason": { "type": "string", "description": "Rationale behind the exploitation status.", "enum": [ "confirmed", "suspected", "disputed", "historical", "unknown" ] }, "status_updated_at": { "type": "string", "format": "date-time", "description": "Timestamp of the last change to the exploitation status in the KEV assertion (RFC3339)." } } }, "characteristics": { "type": "object", "additionalProperties": false, "description": "High-level technical characteristics relevant to exploitation assessment.", "properties": { "remote_code_execution": { "type": "boolean", "description": "Whether successful exploitation can result in remote code execution." }, "authentication_required": { "type": "boolean", "description": "Whether authentication is required to exploit the vulnerability." }, "local_access_required": { "type": "boolean", "description": "Whether local system access is required prior to exploitation." }, "severity": { "type": "number", "minimum": 0, "maximum": 100, "description": "Severity associated with this vulnerability (0.0–100)." } } }, "timestamps": { "type": "object", "additionalProperties": false, "description": "Separate notions of time to avoid ambiguity.", "properties": { "first_seen_at": { "type": "string", "format": "date-time", "description": "Earliest known exploitation activity based on technical observation (RFC3339)." }, "asserted_at": { "type": "string", "format": "date-time", "description": "Date when an authority or source officially declared exploitation (RFC3339)." }, "recorded_at": { "type": "string", "format": "date-time", "description": "Timestamp when this assertion was ingested/recorded by the collector (RFC3339)." }, "last_seen_at": { "type": "string", "format": "date-time", "description": "Most recent confirmed observation of exploitation activity (RFC3339)." } } }, "scope": { "type": "object", "additionalProperties": false, "description": "Observed context of exploitation.", "properties": { "observation_regions": { "type": "array", "description": "Geographic regions where exploitation evidence was observed (optionally UN M49).", "items": { "type": "string" } }, "victim_countries": { "type": "array", "description": "Countries (ISO 3166) where confirmed victims were identified.", "items": { "type": "string", "minLength": 2, "maxLength": 2 } }, "sector": { "type": "array", "description": "Sectors targeted/affected (SHALL come from MISP galaxy sector).", "items": { "type": "string" } }, "asset_exposure": { "type": "array", "description": "Exposure context of affected assets.", "items": { "type": "string", "enum": [ "internet-facing", "internal", "vpn-accessible", "unknown" ] } }, "notes": { "type": "string", "description": "Human-readable clarifications to prevent misinterpretation." } } }, "evidence": { "type": "array", "description": "Collection of independent signals supporting the exploitation claim.", "items": { "$ref": "#/$defs/evidenceItem" } }, "references": { "type": "array", "description": "Links/IDs referencing external resources about the vulnerability or sightings.", "items": { "$ref": "#/$defs/reference" } } }, "$defs": { "reference": { "type": "object", "additionalProperties": false, "required": [ "id", "url" ], "properties": { "id": { "type": "string" }, "url": { "type": "string", "format": "uri" } } }, "confidence": { "description": "Confidence level: number (0.0–1.0) or an implementation-specific enum/string.", "oneOf": [ { "type": "number", "minimum": 0, "maximum": 1 }, { "type": "string" } ] }, "evidenceSignal": { "oneOf": [ { "type": "string", "enum": [ "in_the_wild_attempts", "successful_exploitation", "confirmed_compromise", "mass_scanning", "weaponized_exploit_available" ] }, { "type": "array", "items": { "type": "string", "enum": [ "in_the_wild_attempts", "successful_exploitation", "confirmed_compromise", "mass_scanning", "weaponized_exploit_available" ] }, "minItems": 1, "uniqueItems": true } ] }, "gcveEvidence": { "type": "object", "additionalProperties": false, "properties": { "origin_uuid": { "type": "string", "description": "UUID of the origin instance where the assertion originated." }, "gna": { "type": "integer", "minimum": 0, "maximum": 65535, "description": "GNA ID identifying the origin of the assertion." }, "object_uuid": { "type": "string", "description": "UUID of the assertion associated with this evidence in the GCVE ecosystem." } } }, "gcveRoot": { "type": "object", "additionalProperties": false, "description": "GCVE metadata describing the origin and identity of the KEV assertion.", "properties": { "origin_uuid": { "type": "string", "format": "uuid", "description": "UUID of the origin instance where the KEV assertion originated." }, "gna": { "type": "integer", "minimum": 0, "maximum": 65535, "description": "GNA ID identifying the origin of the KEV assertion." }, "object_uuid": { "type": "string", "format": "uuid", "description": "UUID of the KEV assertion in the GCVE ecosystem." } } }, "evidenceItem": { "type": "object", "additionalProperties": false, "required": [ "source" ], "properties": { "type": { "type": "string", "description": "Origin of the exploitation evidence.", "enum": [ "incident_response", "telemetry", "honeypot", "sinkhole", "vendor_report", "csirt_report", "public_report", "research_report", "unknown" ] }, "signal": { "$ref": "#/$defs/evidenceSignal", "description": "Nature of the observed exploitation signal (string or array of strings)." }, "confidence": { "$ref": "#/$defs/confidence" }, "source": { "type": "string", "description": "Logical identifier of the reporting entity or data source." }, "details": { "type": "object", "description": "Structured, free-form metadata describing how the signal was derived (implementation-specific).", "additionalProperties": true }, "gcve": { "$ref": "#/$defs/gcveEvidence", "description": "Structured object describing evidence originating from the GCVE ecosystem." } } } } }