Frequently Asked Questions

  1. Introduction
      What is CVE?
      What is the relationship between CVE and NVD (U.S. National Vulnerability Database)?
      Who owns CVE?
      Is CVE intended for public use? How can CVE help me?
      Why CVE? Is there a lot of support for something like this?
      Isn't CVE just another vulnerability database?
      Can't hackers use this to break into my network?
      What is a "vulnerability"?
      What is an "exposure"?
  2. CVE Identifiers
      What is a CVE Identifier?
      What is the new CVE ID syntax and when did it change?
      How are the CVE Identifier descriptions created or compiled?
      Are there references available for CVE Identifiers?
      What does "Date Entry Created" signify in a CVE Identifier?
      What does "RESERVED" signify in a CVE Identifier?
      How can I update existing information or add new information to a CVE Identifier description or reference?
      How can I obtain a CVE Identifier?
  3. CVE Request Web Form
      WEB FORM BASICS
      How do I get to the CVE Request web form?
      How is the new system different from what I used to do before? I was familiar with sending an email; can I still do that?
      I submitted a CVE Request before the web form was available. What happens now?
      Where can I find additional help using the web form?
      USING THE WEB FORM
      What are the different choices for request type?
      How do I access the Product and Sources list when I am using the CVE Request web form?
      What if I realized I entered something wrong? Can I edit the information I entered on the web form after I submit it?
      Can I add an attachment?
      I have trouble seeing the security code, or CAPTCHA, at the end of the form. Is there any other way to submit my form?
      I don’t understand the note after I submit my request that says I should close my browser and open it again. What does that mean? Should I do it?
      What if I need more than 10 CVE IDs?
      Why does the form get so big when I request more than one CVE ID?
      How can I encrypt my requests via the web form?
      AFTER SUBMITTING YOUR WEB FORM REQUEST
      How do I know that my CVE request has been received?
      What if I realize, after submitting the form, that I need to request more CVE IDs?
      What do I do if I need to follow up on a request made through the CVE Request web form that has not been completed?
      How do I know when my request has been fulfilled? Is there a place I can look online to see a status?
      My request for CVE IDs was rejected. How do I follow up?
  4. CVE List Basics
      Does the CVE List contain all vulnerabilities and exposures?
      Where does CVE find out about these vulnerabilities and exposures?
      How does a vulnerability or exposure become a CVE Identifier?
      Why doesn't CVE include fix information, impact, classification, or other important technical details?
      Why doesn't CVE use a taxonomy?
      Are there release versions of the CVE List?
      Why did CVE retire the term CVE "candidates"?
      How can I find out when new CVE Identifiers are added to the CVE website?
      Does CVE have an RSS Feed (XML)?
      Does the CVE List include severity ratings (i.e., CVSS scores) for CVE Identifiers?
  5. Using the CVE List
      Someone has hacked into my website. Can CVE help me recover?
      How can CVE help me protect my network?
      How will CVE help me compare security tools?
      Can I include CVE Identifiers in my product/security advisory/etc.?
      Is CVE content available in Common Vulnerability Reporting Framework (CVRF) format?
      Are CVE IDs mapped to IAVAs?
      How do I download a copy of CVE?
      How do I search CVE?
      Can I search CVE by operating system?
      I don’t understand these entries. What's a "buffer overflow" anyway?
      I searched CVE and I got two results back. How can I tell which is the one I want?
  6. Compatibility
      What does it mean to be "CVE-Compatible"?
      How can my product or service be made CVE-Compatible?
      How can my organization register our product or service as CVE-Compatible?
  7. Community
      How can my organization and I be involved?
      What is a CVE Numbering Authority (CNA)? How can my organization become a CNA?
      Who is the CVE Board? How can I join?
      What is MITRE's role in CVE? How long does MITRE plan to maintain it?
      Who sponsors CVE? What is the relationship between CVE and DHS?

Introduction

What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

What is the relationship between CVE and the NVD (U.S. National Vulnerability Database)?

The CVE List feeds the U.S. National Vulnerability Database (NVD), which then builds upon the information included in CVE entries to provide enhanced information for each CVE Identifier such as fix information, severity scores, and impact ratings. NVD also provides advanced searching features such as by individual CVE ID; by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact. Read the NVD FAQs on the NVD website.

Who owns CVE?

CVE is sponsored by US-CERT the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Operating as DHS's Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the CVE List for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. In addition, MITRE has trademarked ® the CVE acronym and the CVE logo to protect their sole and ongoing use by the CVE effort within the information security arena.

MITRE maintains the CVE List and this public website, manages the CVE Compatibility Program, oversees the CVE Numbering Authorities (CNAs), and provides impartial technical guidance to the CVE Board throughout the process to ensure CVE serves the public interest.

Is CVE intended for public use? How can CVE help me?

CVE is free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories, and services. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE Identifier pages from your website, product, publication, or other capability.

CVE helps because it provides a standardized identifier for a given vulnerability or exposure. Knowing this common identifier allows you to quickly and accurately access information about the problem across multiple information sources that are CVE-Compatible. For example, if you own a security tool whose reports contain references to CVE Identifiers, you may then access fix information in a separate CVE-Compatible database. CVE also provides you with a baseline for evaluating the coverage of your tools. With CVE's common names, you'll know exactly what each tool covers allowing you to determine which tools are most effective and appropriate for your organization's needs.

In addition, if the security advisories your organization receives are CVE-Compatible, you can see if your vulnerability scanners check for this threat and then determine whether your intrusion detection system has the appropriate attack signatures to identify attempts to exploit particular vulnerabilities. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-Compatible). See Enterprise Security Enabled by CVE for additional information.

Why CVE? Is there a lot of support for something like this?

Using a common identifier makes it easier to share data across separate databases, tools, and services, which until the creation of CVE in 1999, were not easily integrated. If a report from a security capability incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-Compatible tools, services, and repositories to remediate the problem. With CVE, your tools and services can "speak" (i.e., exchange data) with each other. You'll know exactly what each covers because CVE provides you with a baseline for evaluating the coverage of your tools. This means you can determine which tools are most effective and appropriate for your organization's needs. In short, CVE-Compatible tools, services, and databases will give you better coverage, easier interoperability, and enhanced security.

CVE is industry endorsed by the CVE Board and the numerous organizations that have declared their products CVE-Compatible or include CVE Identifiers in their vendor alerts and security advisories. CVE content is approved by the CVE Board, which is comprised of leading representatives from the information security community.

Isn't CVE just another vulnerability database?

No. CVE is not a vulnerability database. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. (Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.)

Can't hackers use this to break into my network?

Any public discussion of vulnerability information may help a hacker. However, there are several reasons why the benefits of CVE outweigh its risks:

What is a "vulnerability"?

A cyber security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE website.

What is an "exposure"?

A cyber security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE website.

CVE Identifiers

What is a CVE Identifier?

CVE Identifiers (also referred to by the community as "CVE IDs," "CVE entries," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cyber security vulnerabilities.

Each CVE Identifier includes the following:

CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers. See About CVE Identifiers for additional information.

What is the new CVE ID syntax and when did it change?

CVE ID syntax refers to the ID number component of a CVE Identifier, for example, "CVE-2014-9999999", which includes the CVE prefix + year + sequence number digits.

With the new syntax, CVE IDs can now have 4 or more digits in the sequence number portion of the ID. For example, CVE-YYYY-NNNN with 4 digits in the sequence number, CVE-YYYY-NNNNN with 5 digits in the sequence number, CVE-YYYY-NNNNNNN with 7 digits in the sequence number, and so on.

The change was necessary because the CVE ID syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. Due to the ever increasing volume of public vulnerability reports, the CVE Board and MITRE determined that the CVE project needed to change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The new CVE ID syntax was determined in a vote by the CVE Board, details of which are available in the CVE Board Discussion List Archives.

The CVE ID Syntax Change took effect on January 1, 2014, and CVE IDs using the new syntax were first issued on January 13, 2015. The Distributed Weakness Filing (DWF) CNA is now actively assigning CVE IDs with seven digits, as of May 24, 2016.

Please see CVE ID Syntax Change and Technical Guidance for Handling the New CVE ID Syntax for additional information.

How are the CVE Identifier descriptions created or compiled?

The "Description" portion of CVE Identifiers (CVE IDs) are written by MITRE's CVE Content Team, who analyze public, third-party reports of vulnerabilities (i.e., "references"); extract the relevant information from each reference; resolve any conflicting information or inconsistent usage of terminology; and then write the description following the established CVE style (not publicly documented) that attempts to include the relevant details that are most useful to help users to (1) find a CVE for a vulnerability that they need, and/or (2) distinguish between similar-looking vulnerabilities.

Whenever possible, the description includes details such as the name of the affected product and vendor, a summary of affected versions, the vulnerability type, the impact, the access that an attacker requires to exploit the vulnerability, and the important code components or inputs that are involved. However, since this information is not always publicly available, not all descriptions will include all of these details.

Are there references available for CVE Identifiers?

Each CVE Identifier includes appropriate references. The CVE website also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE entries. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Identifier.

What does "Date Entry Created" signify in a CVE Identifier?

The "Date Entry Created" date in a CVE Identifier (CVE ID) indicates when the CVE ID was issued to a CVE Numbering Authority (CNA) or published on the CVE List.

This date does not indicate when the vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. That information may or may not be included in the description or references of a CVE ID, or in the enhanced information for the CVE ID that is provided in the U.S. National Vulnerability Database (NVD).

What does "RESERVED" signify in a CVE Identifier?

A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a vendor or security researcher, but the details of it are not yet populated. A CVE ID can change from the RESERVED state to being populated at any time based on a number of factors both internal and external to MITRE. Once the CVE is populated with details and published on the CVE List, it will become available in the U.S. National Vulnerability Database (NVD). As one of the final steps in the process, the NVD Common Vulnerability Scoring System (CVSS) scores for the CVE ID are assigned by the NIST NVD team.

How can I update existing information or add new information to a CVE Identifier description or reference?

You may request an update to a CVE ID, provide notification about a vulnerability publication, or submit comments via our CVE Request web form. See the CVE Request Web Form Overview, Web Form Tip Sheet, and/or Web Form FAQs for additional information.

If you wish to make a specific "vendor statement" for potential inclusion in the U.S. National Vulnerability Database (NVD), you can use NVD's "Vendor Comments" feature at http://nvd.nist.gov for a specific CVE ID.

How can I obtain a CVE Identifier?

See Request a CVE Identifier.

CVE Request Web Form

WEB FORM BASICS

How do I get to the CVE Request web form?

The CVE Request web form is available at https://cveform.mitre.org.

How is the new system different from what I used to do before? I was familiar with sending an email; can I still do that?

If you send an email to the "cve-assign" email address, you will get a response that directs you to use the CVE Request web form for all new CVE requests. Prior requests sent through email will continue to be processed. The web form is to be used for:

Once you have submitted your request, you will receive an email confirming receipt of your request and a reference number. Any additional communications related to that request will be done through email using the same subject line as the confirmation email.

I submitted a CVE Request before the web form was available. What happens now?

Requests sent prior to August 29, 2016, via the "cve-assign" email address will continue to be processed.

Where can I find additional help using the web form?

In addition to these CVE Request web form FAQs, additional help and user guidance are available in the following locations:

Finally, you may also choose the "Other" request type on the CVE Request web form itself and enter any questions you have into the free-text field. The CVE Team will receive this information and respond to your question(s) via email.

USING THE WEB FORM

What are the different choices for request type?

The choices for a request type are:

How do I access the Product and Sources list when I am using the CVE Request web form?

Select the "Request a CVE ID" request type and, in the grey box, you will see a link to the product and sources list.

What if I realized I entered something wrong? Can I edit the information I entered on the web form after I submit it?

No, you cannot edit the form once it has been submitted; however, after submitting the web form, you will receive an email confirmation with a reference number, and you can reply to that email with any changes. Do not modify the subject line, as it contains the reference number associated with your request.

Can I add an attachment?

The web form does not accept attachments. However, in the event an attachment is necessary, it can be sent in a reply to the confirmation email you receive when you submit the form. Do not modify the subject line, as it contains the reference number associated with your request.

I have trouble seeing the security code, or CAPTCHA, at the end of the form. Is there any other way to submit my form?

The security code, or CAPTCHA, is required to complete the form. If you do not accurately type the CAPTCHA, you will receive an error message upon clicking the "Submit" button, along with a new CAPTCHA, which may be easier to view. If you continue to experience problems with the CAPTCHA, please contact us at cve@mitre.org.

I don't understand the note after I submit my request that says I should close my browser and open it again. What does that mean? Should I do it?

If you submit multiple requests in the same browser session, all requests will share a reference number and a single confirmation email will be sent (in response to the first request). If your requests are related, and need to be tracked together, you do not need to close your browser. If you refresh your browser or close and reopen your browser between each request, you will receive a new confirmation email and reservation number for each request.

What if I need more than 10 CVE IDs?

You can use the CVE Request web form to request up to 10 CVE IDs. If you need to request more than 10 CVE IDs, you can do so by submitting another request.

Please note that all requests within a single browser session will share a single reference number and will only receive a confirmation email for the first request. If you refresh your browser or close and reopen your browser between each request, you will receive a new confirmation email and reservation number for each request.

If you have questions or concerns about this process, please select the "Other" request type on the CVE Request web form.

User Tip: If you cannot type a new number into the field for entering the number of CVE IDs you are requesting, use backspace or the delete key to first clear the highlighted default number and then enter your desired number.

Why does the form get so big when I request more than one CVE ID?

When you request more than one CVE ID on the CVE Request web form, a separate set of required/optional fields for each of the CVE IDs requested is added, which causes the form to expand.

How can I encrypt my requests via the web form?

If you need to encrypt the details of your request, please enter your public PGP key into the "Enter a PGP Key" dialog box. If your PGP key is longer than 20,000 characters, please provide a URL for your PGP. If you do not have a URL, contact cve@mitre.org to identify an alternative suggestion. Provide generic details in the form as needed. MITRE will use the PGP key you provided to begin an encrypted dialogue with you via email.

AFTER SUBMITTING YOUR WEB FORM REQUEST

How do I know that my CVE request has been received?

You will receive an email confirmation once you submit the form, along with a reference number. If you later have any additional information to provide, please reply to that email. Do not modify the subject line, as it contains the reference number associated with your request.

Please note that all requests within a single browser session will share a single reference number and will only receive a confirmation email for the first request. If you refresh your browser or close and reopen your browser between each request, you will receive a new confirmation email and reservation number for each request.

User Tip: Please add cve-request@mitre.org and cve@mitre.org as safe senders in your email client before completing the form.

What if I realize, after submitting the form, that I need to request more CVE IDs?

You are able to complete the CVE Request web form as often as needed. If you submit a new request in the same browser session, all requests will share a reference number and a single confirmation email will be sent (in response to the first request). If you refresh your browser or close and reopen your browser between each request, you will receive a new confirmation email and reservation number for each request.

What do I do if I need to follow up on a request made through the CVE Request web form that has not been completed?

For requests that have not yet been completed (e.g., a CVE ID has not yet been assigned in response to a CVE ID request), you can provide additional information by replying to the confirmation email you received when you submitted the web form. Do not modify the subject line, as it contains the reference number associated with your request.

How do I know when my request has been fulfilled? Is there a place I can look online to see a status?

Status updates are not available via the website or web form. Once you submit the web form, all further communication regarding the request and its status takes place via email, with the same subject line that was in the original confirmation email. Requesters will be notified when their request is fulfilled. If a request was not fulfilled, the requester will receive an email notifying them of the decision and rationale (e.g., out of scope requests).

My request for CVE IDs was rejected. How do I follow up?

If you would like the CVE Assignment Team to reconsider a rejected request, please use the CVE Request web form to submit an "Other" request and include both the reference number of your original request and additional information that should be considered.

CVE List Basics

Does the CVE List contain all vulnerabilities and exposures?

No. The intention of CVE is to be comprehensive with respect to all publicly known vulnerabilities and exposures as specified in the Products Covered section on our Coverage Goals page. While the CVE List is designed to contain mature information, our primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public per our specified coverage goals.

Where does CVE find out about these vulnerabilities and exposures?

CVE is based on publicly available information. Throughout the life of the CVE List, MITRE has relied on external data sources to identify vulnerabilities. In addition, CVE Identifiers for possible new vulnerabilities and exposures are reserved regularly by the CVE Numbering Authorities and then included in their vendor and security community alerts and advisories. As a result, MITRE can concentrate on devising the standard names rather than "reinventing the wheel" and conducting the research required to find the initial vulnerability reports.

How does a vulnerability or exposure become a CVE Identifier?

The process begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA) and posted on the CVE website. The CVE Board oversees this process.

CNAs are the primary method through which CVE Identifiers are assigned. A CNA is an organization that distributes CVE ID numbers to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities, without directly involving MITRE in the details of the specific vulnerabilities.

As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA. As such, MITRE also assigns CVE Identifiers. For the Primary CNA, CVE editorial policies, or "content decisions" (CDs), are the criteria and consistency rules that determine (1) what security issues become CVE Identifiers on the CVE List, and (2) how we distinguish between similar or security related issues.

Generally, the CVE approach is to create separate CVE Identifiers for:

See CVE Editorial Policies for a detailed description and examples of this process. Also see About CVE Identifiers.

Why doesn't CVE include fix information, impact, classification, or other important technical details?

This information can already be found in numerous vulnerability websites, databases, and security tool databases. CVE doesn't have this information because CVE is intended to link these different vulnerability capabilities, not to replace them.

Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.

Why doesn't CVE use a taxonomy?

Developing a universally applicable taxonomy for vulnerabilities is an ongoing area of research. One goal of CVE is to capture community agreement. The enumeration and categorization of vulnerabilities are different (albeit related) efforts. The effort of building and populating the CVE List may facilitate further advances in the study of vulnerability taxonomies.

Are there release versions of the CVE List?

As new CVE Identifiers are now added to the CVE website on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List Master Copy page. The CVE Versions Archive page provides an archive of old CVE versions, the last of which was issued in 2006.

Why did CVE retire the term CVE "candidates"?

When the CVE Initiative first began in 1999 and vulnerabilities were discovered and published less frequently than they are today, CVE Identifiers were issued "candidate" or "entry" status, where candidate status indicated that the identifier was under review for inclusion on the CVE List and entry status indicated that the identifier has been formally accepted to the list. CVE Identifiers with candidate status used the CAN-prefix (e.g., "CAN-1999-0067"), while CVE Identifiers with entry status used the CVE-prefix (e.g., "CVE-1999-0067"). This meant that the individual identifier numbers themselves would need to be changed once a candidate had been updated to entry status, placing a significant burden on the numerous vendors and organizations around the world that would in turn need to update their tools and processes to accommodate the replacement identifier numbers. This became especially burdensome as the volume of vulnerabilities being discovered and added to the CVE List increased dramatically each year (CVE Identifiers are now added to the CVE website on a daily basis). Therefore, at the request of the community, as of 2005 all CVE Identifiers now use the CVE-prefix and are immediately usable by the community. While references and other supporting information may be updated over time, the CVE Identifier number itself does not change once it has been assigned to an issue.

How can I find out when new CVE Identifiers are added to the CVE website?

A free tool from CERIAS/Purdue University monitors changes to the CVE List. "CVE Change Logs" allows you to obtain daily or monthly changes to the list. The tool is a feature of CERIAS' Cassandra incident response database service, which is listed on the CVE-Compatible Products and Services page.

In addition, you may search for recently assigned CVE Identifiers in the U.S. National Vulnerability Database (NVD).

Does CVE have an RSS Feed (XML)?

CVE itself does not currently offer an RSS feed, however, the U.S. National Vulnerability Database (NVD) provides an RSS feed of all fully analyzed CVE Identifiers, which includes the names of the vulnerable products in the headers.

In addition, CVE Change Logs is a free tool from CERIAS/Purdue University that allows users to obtain daily or monthly changes to CVE Identifiers.

Does the CVE List include severity ratings (i.e., CVSS scores) for CVE Identifiers?

No, the CVE List does not include severity ratings for CVE Identifiers (CVE IDs).

However, severity scores for CVE IDs are provided by the U.S. National Vulnerability Database (NVD) at https://nvd.nist.gov/cvss.cfm.

Using the CVE List

Someone has hacked into my website. Can CVE help me recover?

CVE cannot help you to determine precisely what vulnerability an attacker may have exploited to obtain unauthorized access. But once you determine what vulnerability was exploited, you could find the CVE Identifier and use it to examine CVE-Compatible information sources in order to obtain fix information, technical details, and other information that will be helpful to you.

How can CVE help me protect my network?

By using the CVE Identifier for a particular vulnerability or exposure, you will be able to quickly and accurately obtain information from a variety of CVE-Compatible information sources. By facilitating better comparisons between different security tools and services, CVE can help you make a better choice as to which of these capabilities are appropriate for your needs. You may also be able to create a suite of interoperable security tools and capabilities from multiple vendors, if those tools and capabilities incorporate CVE as a translation mechanism.

Using CVE-Compatible Products and Services will allow you to improve how your organization responds to security advisories. If the advisory is CVE-Compatible, you can see if your scanners or security service checks for this threat and then determine whether your intrusion detection system has the appropriate attack signatures. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-Compatible).

Other indirect benefits may also arise from CVE. For example, it facilitates better research on vulnerabilities and exposures. See Enterprise Security Enabled by CVE for additional information.

How will CVE help me compare security tools?

With CVE, your vulnerability databases, services, and tools can "speak" to each other. Until the creation of CVE in 1999 it was very difficult to effectively decide which tool was the most appropriate for an organization's needs. Each vendor used a different definition of "vulnerability" or "exposure" and used different metrics to state how many vulnerabilities or exposures they "check" or "test." CVE provides vendors with a standard list they can compare to, thus allowing you to compare apples to apples. In the longer term, CVE may be useful for obtaining quantitative data on tool behaviors, such as how they perform their checks, the impact they have on the systems they examine, the rate of false positives or false negatives, or how quickly they update their tools when new entries are introduced into CVE.

Can I include CVE Identifiers in my product/database/security advisory/etc.?

Yes, CVE is free to use. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE Identifier pages from your website, product, publication, or other capability. In addition, CVE Identifiers are already being included in a number of security advisories, and numerous companies and organizations are making their information security products CVE-Compatible. Visit the CVE-Compatible Products and Services page for the most current information regarding the types and availability of CVE-Compatible products and services.

Is CVE content available in Common Vulnerability Reporting Framework (CVRF) format?

Yes, CVE content can be downloaded in Common Vulnerability Reporting Framework (CVRF) format on the Download CVE page. A single download of all CVE entries in CVRF format is available, as are downloads for individual calendar years in CVRF format such as 2013, etc.

CVRF, developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation. CVRF is currently used by major vendors, including Cisco Systems, Inc., Oracle Corporation, Microsoft Corporation, and Red Hat, Inc., which issue their security advisories in CVRF format.

Visit the CVE Usage of CVRF page to learn more, or the Download CVE page to access CVE content in CVRF format.

Are CVE IDs mapped to IAVAs?

Yes, CVE IDs are mapped to the U.S. Defense Information System Agency's (DISA) Information Assurance Vulnerability Alerts (IAVAs). Mapping downloads are available in XML and XLS format on DISA's public Security Technical Implementation Guides (STIG) website at http://iase.disa.mil/stigs/iavm-cve.html.

How do I download a copy of CVE?

CVE is freely available for download, or you may search or view CVE on the website. The Download option allows you to download the entire CVE in various formats: CVRF, XML, HTML, Text, or comma separated. Refer to the CVE List section of this website for more information.

How do I search CVE?

There are three ways to obtain CVE data: View CVE, Download CVE, or Search CVE.

Refer to the CVE List section for more information. You may also search the U.S. National Vulnerability Database (NVD) for enhanced information on CVEs.

Can I search CVE by operating system?

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.

Note: The U.S. National Vulnerability Database (NVD), which is based upon and synchronized with the identifiers on the CVE List, is searchable by operating system.

I don't understand these entries. What's a "buffer overflow" anyway?

CVE is intended for use by security experts, so it assumes a certain level of knowledge. It is intentionally designed to be as compact and concise as possible. Other sources of information (such as CVE-Compatible websites and training resources) would be more appropriate for learning about vulnerabilities and exposures.

I searched CVE and I got two results back. How can I tell which is the one I want?

While the description for a CVE Identifiers should be able to uniquely identify a vulnerability or exposure, they are intentionally brief, and in some instances you may need to rely on the accompanying references to make a determination. When this occurs it is either because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. In addition to referring to the references, you could also search through CVE-Compatible sites by specifying the CVE Identifiers that you are uncertain about.

Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.

Compatibility

What does it mean to be "CVE-Compatible"?

"CVE-Compatible" means that a tool, website, database, or other security product or service uses CVE Identifiers in a manner that allows it to be cross-referenced with other products that employ CVE Identifiers. CVE-Compatible means:

Different tools provide different coverage/cross-referencing of CVE Identifiers (e.g., some tools might cover Unix, while others cover Windows). You will need to evaluate any CVE-Compatible products and services based upon your organization's specific requirements. Visit the CVE-Compatible Products and Services page for the most current information regarding the types and availability of CVE-Compatible products and services.

How can my product or service be made CVE-Compatible?

See "Requirements and Recommendations for CVE Compatibility" for detailed information.

How can my organization register our product or service as CVE-Compatible?

See the "CVE Compatibility Process" for detailed information.

Community

How can my organization and I be involved?

Network Security Administrators/Policy and Decision Makers: Adopt CVE-Compatible products/services or encourage your vendors to be CVE-Compatible to support your enterprise requirements.

Security Vendors/Vulnerability Database Managers/Service Providers: Deliver CVE-Compatible tools, databases, or services to your customers for better coverage, easier interoperability, and enhanced security across the enterprise.

Software Vendors: Incorporate the use and reservation of CVE Identifiers into your vulnerability handling process so that your customers can work with concise information and leverage the power of vulnerability scanners to verify that updates and fixes have been applied.

Vulnerability Researchers/Software Vendors: Incorporate the use and reservation of CVE Identifiers into your initial public announcement of a vulnerability to ensure that the CVE Identifier number is instantly available to all CVE users and makes it easier to track vulnerabilities over time.

What is a CVE Numbering Authority (CNA)? How can my organization become a CNA?

A CVE Numbering Authority (CNA) is an organization that distributes CVE IDs to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities, without directly involving MITRE in the details of the specific vulnerabilities.

Information about CVE ID reservation, role and requirements of CNAs, vendor liaisons, researcher responsibilities, and the process for requesting CVE ID numbers, on the CVE Numbering Authority (CNA) page in the CVE List section.

Organizations wishing to become a CNA should first review the information on the CVE Numbering Authority (CNA) page, and then contact us at cve@mitre.org.

Who is the CVE Board? How can I join?

The CVE Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program.

Per the CVE Board Charter, "Prospective Board members (prospects) are those people, either at-large (i.e., independent), or representing an organization in industry, academia, or government, who will add value to the CVE Program. Prospects may be identified by anyone; however, a prospect must be nominated by a voting Board member."

Refer to the CVE Board page for additional information, and a complete list of current members.

What is MITRE's role in CVE? How long does MITRE plan to maintain it?

The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Board, conducts community outreach activities, maintains the CVE website, manages the CVE Compatibility program, oversees the CVE Numbering Authorities (CNAs), and provides neutral guidance throughout the process to ensure that CVE serves the public interest.

In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort. MITRE will maintain CVE as long as it serves the community to do so. 

Who sponsors CVE? What is the relationship between CVE and DHS?

CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. MITRE, operating as DHS's Federally Funded Research and Development Center (FFRDC), manages this CVE website, the compatibility program, the CVE Board, the CVE Numbering Authorities (CNAs), and community engagement to enable open and public collaboration with all stakeholders. In addition, US-CERT incorporates CVE Identifiers into its security advisories whenever possible and advocates the use of CVE and CVE-Compatible products and services to the U.S. government and all members of the information security community.

Page Last Updated or Reviewed: November 04, 2016