Documents Archive

The documents listed on this page are archived and included here for historical purposes only. Please visit the main All Documents page for the most current CVE Program documentation.

    CVE List (Archived)
    CVE Numbering Authorities (CNAs) (Archived)
    CVE Board (Archived)
    General (Archived)
    CVE Compatibility Program (Archived)
    Sample Procurement Docs (Archived)
CVE List (Archived)

CVE ID Syntax Change (Archived)

The CVE ID Syntax Change took effect on January 1, 2014. CVE IDs using the new numbering format were first issued beginning on January 13, 2015. CVE IDs with 7 digits are actively being assigned by the DWF CNA as of May 24, 2016. This page is a central location of information about, and related to, the syntax change including the following: CVE ID Syntax Compliance (Archived), CVE ID Syntax Guidance (Archived), and CVE ID Syntax Test Data (Archived).


How We Build the CVE List (Archived)

A description of the process of how CVE Identifiers are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Content Team.


CVE Content Decisions (Archived)

Prior to the current CVE Editorial Policies that are based upon the CVE Counting Rules, the CVE program used the CVE Content Decisions (CDs) described in these documents to assign CVE IDs: CVE Content Decisions Overview (Archived); CVE Abstraction Content Decisions: Rationale and Application (Archived); and Handling Duplicate Public CVE Identifiers (Archived).


CVE Editor's Commentary (Archived)

An archive of selected opinions and commentary about vulnerabilities, software assurance, and related topics by the CVE List Content Team.


CVE Data Sources (Archived)

This page provides an archive list of the organizations from the information security community that provided us with vulnerability information that helped the CVE Team create new CVE Entries from 1999 through November 2013.


CVE Versions (Archived)

This page provides an archive of the old CVE versions, the last of which was issued in 2006. As new CVE Entries are now added to the CVE website on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List page.

CVE Numbering Authorities (CNAs) (Archived)

CVE Numbering Authorities (CNA) Rules, Version 1.1 (Archived)

Includes detailed information about the following: CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules; Rules for All CNAs – Assignment, Communication, and Administration; Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA; CNA Candidate Process – Qualifications, and On-Boarding Process; Appeals Process; Definitions; CVE Information Format; Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions; Terms of Use; Process to Correct Counting Issues; and Acronyms. Version 1.1 – September 16, 2016

CVE Board (Archived)

No CVE Board documents have been archived.

CVE Compatibility Program (Archived)

CVE Compatibility Program (Archived)

Includes documents from the previous CVE Compatibility Program of declarations and questionnaires that was discontinued.

CVE in Use (Archived)

This archived page includes examples of how CVE is being used in goverment and in the community.

Sample Procurement Documents (Archived)

CVE-Relevant Software Supplier Requirements (SWSupplier)

This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. – November 2004

Word (76K)


CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. – November 2004

Word (60K)


CVE-Relevant Remediation Tool Requirements (IAremedtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. – November 2004

Word (76K)

General (Archived)

CVE Introductory Brochure

A brief two-page introduction to the CVE effort. February 2016.

PDF (61 K)


Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

Slides (152 K)
White Paper (211 K)


Making Security Measurable Podcast

A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007

MP3 (9.3 MB)


Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 – Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML
PDF (2 MB)


Transformational Vulnerability Management Through Standards

This technical report on the MITRE Web site discusses the U.S Department of Defense"s (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead – May 2005

PDF (165K)
HTML


Security Patches Got You Running in Circles?

Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, CVE Compatibility Lead

HTML


A Progress Report on the CVE Initiative

Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA. June 24, 2002 – Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead

HTML
PowerPoint (5.3MB)
PDF (510K)
Word (421K)


Managing Vulnerabilities in Networked Systems

This article about CVE was published in IEEE Computer Society Computer Magazine, Vol. 34, No. 11. November 2001 – Robert A. Martin, CVE Compatibility Lead

PDF (129K)


CVE Behind the Scenes: The Complexity of Being Simple

Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings, Las Vegas, Nevada, USA. July 11, 2001 – Steve Christey, co-creator of CVE and editor of the CVE List

PowerPoint (813K)


Vulnerabilities of Developing on the Net

This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering. It was also presented at the U.S. Air Force's Software Technology Support Center’s Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 – Robert A. Martin, CVE Compatibility Lead

HTML
PDF (3MB)


CVE-Technical Details of CVE

This briefing was presented at the Canadian Information Technology Security Symposium, Ottawa, Canada. June 22, 2000 – Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager

PowerPoint (105K)


Common Vulnerabilities and Exposures (CVE)

An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 – Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker

PowerPoint (87K)


White Paper: "The Development of a Common Vulnerabilities and Exposures List"

This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection, Purdue University, West Lafayette, Indiana, USA. September 8, 1999 – Steven M. Christey, David W. Baker, William H. Hill, David E. Mann

PowerPoint (65K)
HTML


White Paper: "Towards a Common Enumeration of Vulnerabilities"

This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 – David E. Mann and Steven M. Christey, co-creators of the CVE List

HTML
PostScript

Page Last Updated or Reviewed: December 15, 2017