Documents

    CVE Process
    CVE Request Web Form
    CVE Numbering Authorities (CNAs)
    CVE Board
    CVE Compatibility
    Sample Procurement Docs
    General
CVE Process

About CVE Identifiers

Provides an overview of CVE Identifiers (CVE IDs) and links to various documents within three areas: CVE Identifiers Defined, Creation of a CVE Identifier, and Requesting CVE Identifiers.


CVE Counting Rules

The nature and accuracy of the counting process underpins the value of a CVE ID. Correct counting reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the counting process helps to differentiate between those vulnerabilities that are unique. Decision trees are included.


CVE Assignment Information Format

Provides the required format that CNAs must use to provide CVE information for assigning CVE IDs. An example is included.


Process to Correct Counting Issues

There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process.


CVE References

Each CVE name includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE name. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE IDs.


Search Tips for the CVE List

Provides tips for searching or viewing the Master Copy of the CVE List hosted on the CVE website. Also notes that advanced searching of CVE content is available on the U.S. National Vulnerability Database (NVD).

CVE Request Web Form

CVE Request Web Form FAQs

Includes questions and answers on web form basics, using the web form, and after submitting a web form request.


CVE Request Web Form Overview

This presentation provides an overview of how to use the CVE Request web form, which is used to request CVE IDs from MITRE, request an update to an existing CVE entry, provide notification about a vulnerability publication, or submit comments.


CVE Request Web Form Tip Sheet

A brief overview of information and tips for using each of the CVE Request web forms: Request a CVE ID; Request a block of IDs (for CNAs only); Notify CVE about a publication; Request an update to an existing CVE; and Other.

CVE Numbering Authorities (CNAs)

CVE Numbering Authorities (CNA) Rules

Includes detailed information about the following: CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules; Rules for All CNAs – Assignment, Communication, and Administration; Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA; CNA Candidate Process – Qualifications, and On-Boarding Process; Appeals Process; Definitions; CVE Information Format; Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions; Terms of Use; Process to Correct Counting Issues; and Acronyms. Version 1.1 – September 16, 2016


Researcher Reservation Guidelines

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability. Version 0.1 – August 29, 2016

CVE Board

CVE Board Charter

This document provides information about the CVE Board and how it functions, including Board structure, membership, and operations. A member nomination form is also included.


Adding and Removing CVE Board Members

This document formalizes the high-level process that is used for identifying, evaluating, and adding new members to the CVE Board.

CVE Compatibility

Requirements and Recommendations for CVE Compatibility

Provides the detailed requirements against which a cybersecurity product or service may become CVE-Compatible. Version 1.3, June 2013

Sample Procurement Documents

CVE-Relevant Software Supplier Requirements (SWSupplier)

This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. – November 2004

Word (76K)


CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. – November 2004

Word (60K)


CVE-Relevant Remediation Tool Requirements (IAremedtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. – November 2004

Word (76K)

General

CVE IDs and How to Get Them

This briefing was presented at the “Wall of Sheep” at DEF CON 25 in Las Vegas, Nevada, USA. July 28, 2017 - Dan Adinolfi, CVE Numbering Authority Program Lead; Anthony Singleton, CVE Team Member

Slides (599 K)


CVE Introductory Brochure

A brief two-page introduction to the CVE effort. February 2016.

PDF (61 K)


Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

Slides (152 K)
White Paper (211 K)


Making Security Measurable Podcast

A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007

MP3 (9.3 MB)


Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 – Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML
PDF (2 MB)


Transformational Vulnerability Management Through Standards

This technical report on the MITRE Web site discusses the U.S Department of Defense"s (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead – May 2005

PDF (165K)
HTML


Security Patches Got You Running in Circles?

Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, CVE Compatibility Lead

HTML


A Progress Report on the CVE Initiative

Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA. June 24, 2002 – Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead

HTML
PowerPoint (5.3MB)
PDF (510K)
Word (421K)


Managing Vulnerabilities in Networked Systems

This article about CVE was published in IEEE Computer Society Computer Magazine, Vol. 34, No. 11. November 2001 – Robert A. Martin, CVE Compatibility Lead

PDF (129K)


CVE Behind the Scenes: The Complexity of Being Simple

Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings, Las Vegas, Nevada, USA. July 11, 2001 – Steve Christey, co-creator of CVE and editor of the CVE List

PowerPoint (813K)


Vulnerabilities of Developing on the Net

This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering. It was also presented at the U.S. Air Force's Software Technology Support Center’s Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 – Robert A. Martin, CVE Compatibility Lead

HTML
PDF (3MB)


CVE-Technical Details of CVE

This briefing was presented at the Canadian Information Technology Security Symposium, Ottawa, Canada. June 22, 2000 – Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager

PowerPoint (105K)


Common Vulnerabilities and Exposures (CVE)

An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 – Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker

PowerPoint (87K)


White Paper: "The Development of a Common Vulnerabilities and Exposures List"

This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection, Purdue University, West Lafayette, Indiana, USA. September 8, 1999 – Steven M. Christey, David W. Baker, William H. Hill, David E. Mann

PowerPoint (65K)
HTML


White Paper: "Towards a Common Enumeration of Vulnerabilities"

This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 – David E. Mann and Steven M. Christey, co-creators of the CVE List

HTML
PostScript

Page Last Updated or Reviewed: September 21, 2017