Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management

Novruz Amirov; Nahid Aliyev; Kemal Bicakci

doi:10.1109/ISCTrkiye68593.2025.11224809

Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management

Novruz Amirov
, Nahid Aliyev
, Kemal Bicakci

Informatics Institute

Istanbul Technical University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

This study introduces a decentralized, blockchaindriven framework for publishing Common Vulnerabilities and Exposures (CVEs) as an alternative to the predominantly centralized model managed by MITRE. The proposed solution employs a permissioned blockchain that restricts write privileges to authenticated CVE Numbering Authorities (CNAs) while maintaining public transparency. Through the integration of smart contracts, the framework enables essential functions such as embargoed vulnerability disclosures and decentralized governance. We assess the proposed approach against current practices, demonstrating its improvements in transparency, trust distribution, and auditability. Furthermore, we present a prototype built on Hyperledger Fabric to validate the feasibility of the model and discuss its potential impact on the evolution of vulnerability disclosure mechanisms.

Original language	English
Title of host publication	2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings
Editors	Ali Aydin Selcuk, Seref Sagiroglu, Oguz Yayla, Cihangir Tezcan
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331557102
DOIs	https://doi.org/10.1109/ISCTrkiye68593.2025.11224809
Publication status	Published - 2025
Event	18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Ankara, Turkey Duration: 22 Oct 2025 → 23 Oct 2025

Publication series

Name	2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings

Conference

Conference	18th International Conference on Information Security and Cryptology, ISCTurkiye 2025
Country/Territory	Turkey
City	Ankara
Period	22/10/25 → 23/10/25

Bibliographical note

Publisher Copyright:
© 2025 IEEE.

Keywords

Common Vulnerabilities and Exposures (CVE)
Decentralized Vulnerability Disclosure
Hyperledger Fabric
Permissioned Blockchain
Smart Contracts
Trust Distribution

Access to Document

10.1109/ISCTrkiye68593.2025.11224809

Cite this

Amirov, N., Aliyev, N., & Bicakci, K. (2025). Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management. In A. A. Selcuk, S. Sagiroglu, O. Yayla, & C. Tezcan (Eds.), 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings (2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISCTrkiye68593.2025.11224809

Amirov, Novruz ; Aliyev, Nahid ; Bicakci, Kemal. / Decentralized Vulnerability Disclosure Using Permissioned Blockchain : A Secure and Transparent Alternative to Centralized CVE Management. 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings. editor / Ali Aydin Selcuk ; Seref Sagiroglu ; Oguz Yayla ; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2025. (2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings).

@inproceedings{046cbe914e234ed09e1ae861b6811803,

title = "Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management",

abstract = "This study introduces a decentralized, blockchaindriven framework for publishing Common Vulnerabilities and Exposures (CVEs) as an alternative to the predominantly centralized model managed by MITRE. The proposed solution employs a permissioned blockchain that restricts write privileges to authenticated CVE Numbering Authorities (CNAs) while maintaining public transparency. Through the integration of smart contracts, the framework enables essential functions such as embargoed vulnerability disclosures and decentralized governance. We assess the proposed approach against current practices, demonstrating its improvements in transparency, trust distribution, and auditability. Furthermore, we present a prototype built on Hyperledger Fabric to validate the feasibility of the model and discuss its potential impact on the evolution of vulnerability disclosure mechanisms.",

keywords = "Common Vulnerabilities and Exposures (CVE), Decentralized Vulnerability Disclosure, Hyperledger Fabric, Permissioned Blockchain, Smart Contracts, Trust Distribution",

author = "Novruz Amirov and Nahid Aliyev and Kemal Bicakci",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 ; Conference date: 22-10-2025 Through 23-10-2025",

year = "2025",

doi = "10.1109/ISCTrkiye68593.2025.11224809",

language = "English",

series = "2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

editor = "Selcuk, \{Ali Aydin\} and Seref Sagiroglu and Oguz Yayla and Cihangir Tezcan",

booktitle = "2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings",

address = "United States",

}

Amirov, N, Aliyev, N & Bicakci, K 2025, Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management. in AA Selcuk, S Sagiroglu, O Yayla & C Tezcan (eds), 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings. 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025, Ankara, Turkey, 22/10/25. https://doi.org/10.1109/ISCTrkiye68593.2025.11224809

Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management. / Amirov, Novruz; Aliyev, Nahid; Bicakci, Kemal.
2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings. ed. / Ali Aydin Selcuk; Seref Sagiroglu; Oguz Yayla; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2025. (2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Decentralized Vulnerability Disclosure Using Permissioned Blockchain

T2 - 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025

AU - Amirov, Novruz

AU - Aliyev, Nahid

AU - Bicakci, Kemal

PY - 2025

Y1 - 2025

N2 - This study introduces a decentralized, blockchaindriven framework for publishing Common Vulnerabilities and Exposures (CVEs) as an alternative to the predominantly centralized model managed by MITRE. The proposed solution employs a permissioned blockchain that restricts write privileges to authenticated CVE Numbering Authorities (CNAs) while maintaining public transparency. Through the integration of smart contracts, the framework enables essential functions such as embargoed vulnerability disclosures and decentralized governance. We assess the proposed approach against current practices, demonstrating its improvements in transparency, trust distribution, and auditability. Furthermore, we present a prototype built on Hyperledger Fabric to validate the feasibility of the model and discuss its potential impact on the evolution of vulnerability disclosure mechanisms.

AB - This study introduces a decentralized, blockchaindriven framework for publishing Common Vulnerabilities and Exposures (CVEs) as an alternative to the predominantly centralized model managed by MITRE. The proposed solution employs a permissioned blockchain that restricts write privileges to authenticated CVE Numbering Authorities (CNAs) while maintaining public transparency. Through the integration of smart contracts, the framework enables essential functions such as embargoed vulnerability disclosures and decentralized governance. We assess the proposed approach against current practices, demonstrating its improvements in transparency, trust distribution, and auditability. Furthermore, we present a prototype built on Hyperledger Fabric to validate the feasibility of the model and discuss its potential impact on the evolution of vulnerability disclosure mechanisms.

KW - Common Vulnerabilities and Exposures (CVE)

KW - Decentralized Vulnerability Disclosure

KW - Hyperledger Fabric

KW - Permissioned Blockchain

KW - Smart Contracts

KW - Trust Distribution

UR - https://www.scopus.com/pages/publications/105025197390

U2 - 10.1109/ISCTrkiye68593.2025.11224809

DO - 10.1109/ISCTrkiye68593.2025.11224809

M3 - Conference contribution

AN - SCOPUS:105025197390

T3 - 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings

BT - 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings

A2 - Selcuk, Ali Aydin

A2 - Sagiroglu, Seref

A2 - Yayla, Oguz

A2 - Tezcan, Cihangir

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 October 2025 through 23 October 2025

ER -

Amirov N, Aliyev N, Bicakci K. Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management. In Selcuk AA, Sagiroglu S, Yayla O, Tezcan C, editors, 2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2025. (2025 18th International Conference on Information Security and Cryptology, ISCTurkiye 2025 - Proceedings). doi: 10.1109/ISCTrkiye68593.2025.11224809

Decentralized Vulnerability Disclosure Using Permissioned Blockchain: A Secure and Transparent Alternative to Centralized CVE Management

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this