About CVE

    Why CVE
    How CVE Works
    CVE Community
    Take the Next Step

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities.

Use of CVE Entries, which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

CVE is:

Why CVE

With & Without CVE

CVE was launched in 1999 when most cybersecurity tools used their own databases with their own names for security vulnerabilities. At that time there was significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.

CVE’s common, standardized identifiers provided the solution to these problems.

CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries — also called "CVEs," "CVE IDs," and "CVE numbers" by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Entries also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

How CVE Works

Each CVE Entry includes:

  • CVE ID number (i.e., "CVE-1999-0067", "CVE-2014-10001", "CVE-2014-100001").
  • Brief Description of the security vulnerability or exposure.
  • Any pertinent References (i.e., vulnerability reports and advisories).

The process of creating a CVE Entry begins with the discovery of a potential security vulnerability.

The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Entry is added to the CVE List and posted on the CVE website by the CVE Team.

CVE Community

CVE is an international cybersecurity community effort. In addition to the contributions of the CVE Numbering Authorities, CVE Board, and the CVE Sponsor, numerous organizations from around the world have included CVE IDs in their security advisories, have made their products and services compatible with CVE, and/or have adopted or promoted the use of CVE.

MITRE's Role

The MITRE Corporation currently maintains CVE and this public website, oversees the CNAs and CVE Board, and provides impartial technical guidance throughout the process to ensure CVE serves the public interest.

In addition, the MITRE CVE Team currently functions as the Primary CNA.

CVE Numbering Authorities (CNAs) — CNAs are vendors and projects, vulnerability researchers, national and industry CERTs, and bug bounty programs that assign CVE Entries to newly discovered issues without directly involving the CVE Team in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

Learn how to become a CNA.

CVE Board — The Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program.

CVE Sponsor — CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

CVE Compatibility Guidelines for Products and Services — Numerous organizations from around the world have made their cybersecurity products and services compatible with CVE by incorporating CVE Entries. Please follow the guidelines to make your product or service compatible with CVE.

Take the Next Step

We encourage you to incorporate CVE Entries into your products or research, become a CNA, adopt products and services that are compatible with CVE for your enterprise, and/or promote the use of CVE.

Please contact us for more information.


Page Last Updated or Reviewed: January 17, 2018