Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
CVE was launched in 1999 when most information security tools used their own databases with their own names for security vulnerabilities. At that time there was no significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.
CVE’s common, standardized identifiers provided the solution to these problems.
CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. CVE Identifiers also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.
How CVE Works
The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability.
The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA) and posted on the CVE List on the CVE Web site by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA.
The CVE Editorial Board oversees this process.
The information security community endorsed the importance of CVE via "CVE-Compatible" products and services from the moment CVE was launched in 1999. As quickly as December 2000 there were 29 organizations participating with declarations of compatibility for 43 products. Today, those numbers have increased significantly with 300+ products and services from 150+ organizations listed on the CVE Web site. A major milestone for compatibility was the formalization of the CVE Compatibility Process in 2003 that led to the ongoing presentation of "Certificates of CVE Compatibility" to those organizations that achieve "official" compatibility status for their products or services.
Another significant factor to adoption is the ongoing inclusion of CVE Identifiers in security advisories. Numerous major OS vendors and other organizations from around the world include CVEs in their alerts to ensure that the international community benefits by having the CVE Identifiers as soon as a problem is announced. In addition, CVE Identifiers have been used, since its 2000 inception, to identify vulnerabilities in the SANS Top Cyber Security Risks threat list. In 2002, the U.S. National Institute of Standards and Technology (NIST) released two documents recommending the use of CVE by U.S. agencies: "NIST Special Publication (SP) 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" and "NIST Special Publication 800-40, Procedures for Handling Security Patches" in which CVE is mentioned throughout. In June 2004, the U.S. Defense Information Systems Agency (DISA) issued a task order for information assurance applications that requires the use of products that use CVE Identifiers.
CVE has also been used as the basis for entirely new services. NIST’s U.S. National Vulnerability Database (NVD)—a "comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources"—is synchronized with, and based on, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE-IDs. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance) and CVE is one of the open community standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. MITRE’s Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based in part on the 60,000+ CVE Identifiers on the CVE List, and its Open Vulnerability and Assessment Language (OVAL®) is the standard for determining vulnerability and configuration issues on computer systems using community-developed XML schemas and definitions with its OVAL Vulnerability Definitions based primarily on CVE Identifiers.
And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE.
CVE is an international information security community effort. In addition to the contributions of the CVE Editorial Board and the CVE Sponsor, numerous organizations from around the world have made their products CVE-Compatible, have included CVE Identifiers in their security advisories, and/or have adopted or promoted the use of CVE.
CVE Editorial Board
The CVE Editorial Board, which includes members from numerous information security-related organizations from around world such as commercial security tool vendors, members of academia, research institutions, government agencies, and other prominent security experts, approves which vulnerabilities or exposures are included in the CVE List.
CVE-Compatible Products and Services
Numerous organizations from around the world have made their information security products and services "CVE-Compatible" by incorporating CVE Identifiers. Refer to the CVE Compatibility section for a list of official CVE-Compatible Products and Services and Declarations to Be CVE-Compatible.
Take the Next Step
We encourage you to adopt CVE-Compatible Products or Services for your enterprise, incorporate CVE Identifiers into your products or research, and/or promote the use of CVE. Contact firstname.lastname@example.org for more information.