Documents

CVE Process

About CVE Identifiers

Provides an overview of CVE Identifiers and links to various documents within three areas: CVE Identifiers Defined, Creation of a CVE Identifier, and Obtaining CVE Identifiers.

How We Build the CVE List

A description of the process of how CVE Identifiers are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Content Team.

CVE Content Decisions Overview

Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included.

CVE Abstraction Content Decisions: Rationale and Application

This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE’s major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action.

Handling Duplicate Public CVE Identifiers

When duplicate CVE Identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE’s Primary CVE Numbering Authority must be consulted to choose the proper identifier number to use. This document details the criteria MITRE uses for selecting the preferred identifier.

CVE Numbering Authorities

Includes an introduction to the CVE Identifier reservation process, defines CVE Numbering Authorities (CNAs), provides the requirements for being a CNA, describes CNA tasks, explains the communication requirements from the CNA to MITRE, defines the role of vendor liaisons, and explains the researcher’s responsibilities in the process. Also included is a list of the several organizations currently participating as CNAs.

CVE References

Each CVE name includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source’s Web site, and (3) notes the associated CVE name. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Identifiers.

CVE Data Sources

A list of the organizations from the information security community that provide us with vulnerability information that helps MITRE create new CVE Identifiers.

Search Tips for the CVE List

Provides tips for searching or viewing the Master Copy of the CVE List hosted on the CVE Web site. Also notes that advanced searching of CVE is available on the U.S. National Vulnerability Database (NVD) where you may search CVE by individual CVE Identifier (CVE-ID) number; by operating system; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

Compatibility

CVE Compatibility Process

Description of the formal "CVE Compatibility Process," including Phase 1, the Declaration Phase, which consists of registering an organization's declaration of intent to make their product(s) and/or service(s) CVE-compatible, and Phase 2, the Evaluation Phase, which requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the CVE Compatibility Requirements document. September 30, 2009 - Robert A. Martin, Steven M. Christey, and Robert J. Roberge

Requirements and Recommendations for CVE Compatibility

Provides the detailed requirements against which an information product or service may become CVE-Compatible. Version 1.2, October 1, 2009 - Robert A. Martin and Steven M. Christey

Editorial Board

CVE Editorial Board Roles, Tasks, and Qualifications

This document clarifies the roles, tasks, and qualifications for CVE Editorial Board members. Roles include technical members, liaisons, advocates, and emeritus members.

Process for Adding New Members to the Editorial Board

This document formalizes the high-level process that is used for identifying, evaluating, and adding new members to the CVE Editorial Board.

Sample Procurement Documents

CVE-Relevant Software Supplier Requirements (SWSupplier)

This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. - November 2004

Word (76K)

CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. - November 2004

Word (60K)

CVE-Relevant Remediation Tool Requirements (IAremedtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. - November 2004

Word (76K)

General

CVE Introductory Brochure

A brief two-page introduction to the CVE effort. February 2013.

PDF (73 K)

Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

Slides (152 K)
White Paper (211 K)

Making Security Measurable Podcast

A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007

MP3 (9.3 MB)

Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML
PDF (2 MB)

Transformational Vulnerability Management Through Standards

This technical report on the MITRE Web site discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead - May 2005

PDF (165K)
HTML

Security Patches Got You Running in Circles?

Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, CVE Compatibility Lead

HTML

A Progress Report on the CVE Initiative

Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA. June 24, 2002 - Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead

HTML
PowerPoint (5.3MB)
PDF (510K)
Word (421K)

Managing Vulnerabilities in Networked Systems

This article about CVE was published in IEEE Computer Society Computer Magazine, Vol. 34, No. 11. November 2001 - Robert A. Martin, CVE Compatibility Lead

PDF (129K)

CVE Behind the Scenes: The Complexity of Being Simple

Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings, Las Vegas, Nevada, USA. July 11, 2001 - Steve Christey, co-creator of CVE and editor of the CVE List

PowerPoint (813K)

Vulnerabilities of Developing on the Net

This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering. It was also presented at the U.S. Air Force's Software Technology Support Center’s Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 - Robert A. Martin, CVE Compatibility Lead

HTML
PDF (3MB)

CVE-Technical Details of CVE

This briefing was presented at the Canadian Information Technology Security Symposium, Ottawa, Canada. June 22, 2000 - Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager

PowerPoint (105K)

Common Vulnerabilities and Exposures (CVE)

An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 - Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker

PowerPoint (87K)

White Paper: "The Development of a Common Vulnerabilities and Exposures List"

This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection, Purdue University, West Lafayette, Indiana, USA. September 8, 1999 - Steven M. Christey, David W. Baker, William H. Hill, David E. Mann

PowerPoint (65K)
HTML

White Paper: "Towards a Common Enumeration of Vulnerabilities"

This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 - David E. Mann and Steven M. Christey, co-creators of the CVE List

HTML
PostScript

 
Page Last Updated: May 17, 2013