Frequently Asked Questions

CVE FAQ in Spanish
by Maria Ramos of
Webhostinghub.com

  1. Introduction
    1. What is CVE?
    2. What is a "vulnerability"?
    3. What is an "exposure"?
    4. Why CVE? Is there a lot of support for something like this?
    5. Is CVE intended for public use? Where can I get the latest copy of CVE?
    6. Who owns CVE?
    7. Isn’t CVE just another vulnerability database?
    8. How does a vulnerability or exposure become a CVE Identifier?
    9. Where does CVE find out about these vulnerabilities and exposures?
    10. Does CVE contain all vulnerabilities and exposures?
    11. What is the difference between CVE Identifiers and Buqtraq IDs?
    12. What is a CVE Numbering Authority (CNA)? How can my organization become a CNA?
    13. How can CVE help me?
    14. How can my organization and I be involved?
    15. Is someone from CVE available to speak or participate on panel discussions at industry-related events, meetings, etc.?
    16. Does CVE participate in link exchange arrangements?
  2. CVE List Basics
    1. What is a CVE Identifier?
    2. How can I obtain a CVE Identifier?
    3. Are there references available for CVE Identifiers?
    4. Are there release versions of the CVE List?
    5. Does CVE have an RSS Feed (XML)?
    6. Does CVE have a procedure for determining how to assign CVE Identifiers to newly discovered vulnerabilities?
    7. How can I find out when new CVE Identifiers are added to the CVE Web site?
    8. Why did CVE retire the term CVE "candidates"?
    9. What is the relationship between the CVE List and the National Vulnerability Database (NVD)?
    10. How are the CVE Identifier descriptions created or compiled?
    11. What does "Date Entry Created" signify in a CVE Identifier?
    12. How can I update existing information or add new information to a CVE Identifier description or reference?
  3. Using the CVE List
    1. How do I search CVE?
    2. I don’t understand these entries. What’s a "buffer overflow" anyway?
    3. I searched CVE and I got two results back. How can I tell which is the one I want?
    4. Can I search CVE by operating system?
    5. Why doesn’t CVE include fix information, impact, classification, or other important technical details?
    6. Why doesn’t CVE use a taxonomy?
    7. Can’t hackers use this to break into my network?
    8. Someone has hacked into my Web site. Can CVE help me recover?
    9. How can CVE help me protect my network?
    10. How will CVE help me compare security tools?
    11. Can I include CVE Identifiers in my product/security advisory/etc.?
    12. How can I get a copy of CVE?
    13. Is CVE content available in Common Vulnerability Reporting Framework (CVRF) format?
    14. Are CVE-IDs mapped to IAVAs?
  4. Compatibility
    1. What does it mean to be "CVE-Compatible"?
    2. How can my product or service be made CVE-Compatible?
    3. Can my organization register our product or service as CVE-Compatible?
    4. Do security advisories and vendor alerts incorporate CVE Identifiers? How can this help me?
  5. Community
    1. Who is the CVE Editorial Board?
    2. What is MITRE?
    3. What is MITRE’s role in CVE?
    4. Why is MITRE maintaining CVE, and how long does MITRE plan to maintain it?
    5. Who pays for CVE? Who is the sponsor?
  6. CVE-ID Syntax Change
    1. Why is the CVE-ID Syntax changing? Why is it important?
    2. When did the CVE-ID Syntax Change take effect?
    3. What is the new CVE-ID Syntax?
    4. What are some examples of the new CVE-ID Syntax?
    5. Will older already assigned CVE-IDs need to be updated to the new syntax?
    6. How will the CVE-ID Syntax Change affect me? What should I do to prepare?
    7. How was the new CVE-ID syntax determined?
    8. Is there more detailed information available about the CVE-ID Syntax Change?
    9. May I repost the CVE-ID Syntax Change infographic on my website and/or on social media?
    10. Is technical guidance and/or test data available for handling the new CVE-ID Syntax?
    11. I have a follow-up question about the CVE-ID Syntax Change that is not answered here, how do I contact the CVE Team?
    12. Why has CVE not yet published a 5-digit CVE-ID? Is there a deadline for when one will be published?

Introduction

A1. What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

A2. What is a "vulnerability"?

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.

A3. What is an "exposure"?

An information security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.

A4. Why CVE? Is there a lot of support for something like this?

Using a common identifier makes it easier to share data across separate databases, tools, and services, which until the creation of CVE in 1999, were not easily integrated. If a report from a security capability incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible tools, services, and repositories to remediate the problem. With CVE, your tools and services can "speak" (i.e., exchange data) with each other. You'll know exactly what each covers because CVE provides you with a baseline for evaluating the coverage of your tools. This means you can determine which tools are most effective and appropriate for your organization's needs. In short, CVE-compatible tools, services, and databases will give you better coverage, easier interoperability, and enhanced security.

CVE is industry endorsed by the CVE Editorial Board and the numerous organizations that have declared their products CVE-compatible or include CVE Identifiers in their vendor alerts and security advisories. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community.

A5. Is CVE intended for public use? Where can I get the latest copy of CVE?

CVE is free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories, and services. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE Identifier pages from your Web site, product, publication, or other capability.

A6. Who owns CVE?

CVE is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Operating as DHS’s Federally Funded Research and Development Center (FFRDC), MITRE has copyrighted the CVE List for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. In addition, MITRE has trademarked ® the CVE acronym and the CVE logo to protect their sole and ongoing use by the CVE effort within the information security arena.

MITRE maintains CVE and this public Web site, manages the compatibility program, and provides impartial technical guidance to the CVE Editorial Board throughout the process to ensure CVE serves the public interest.

A7. Isn’t CVE just another vulnerability database?

No. CVE is not a vulnerability database. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. (Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.)

A8. How does a vulnerability or exposure become a CVE Identifier?

The process begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA) and posted on the CVE Web site. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board oversees this process.

For additional information, see About CVE Identifiers.

A9. Where does CVE find out about these vulnerabilities and exposures?

CVE is based on publicly available information. Throughout the life of the CVE List, MITRE has relied on external data sources to identify vulnerabilities. In addition, CVE Identifiers for possible new vulnerabilities and exposures are reserved regularly by the CVE Numbering Authorities and then included in their vendor and security community alerts and advisories. As a result, MITRE can concentrate on devising the standard names rather than "reinventing the wheel" and conducting the research required to find the initial vulnerability reports.

A10. Does CVE contain all vulnerabilities and exposures?

No. The intention of CVE is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, our primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public.

A11. What is the difference between CVE Identifiers and Bugtraq IDs?

Bugtraq IDs are identifiers for a commercially operated vulnerability database that are used in security advisories and alerts, as well as for discussions on the Bugtraq mailing list. CVE Identifiers are from an international information security effort that is publicly available and free to use. CVE Identifiers are for the sole purpose of providing a common name. For this reason, CVE Identifiers are frequently used by researchers and the makers of security tools, Web sites, databases, and services as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers.

Note also that SecurityFocus, which runs Bugtraq, is a member of the CVE Editorial Board, includes CVE Identifiers in its security announcements, and is listed on the CVE-Compatible Products and Services page.

A12. What is a CVE Numbering Authority (CNA)? How can my organization become a CNA?

A CVE Numbering Authority (CNA) is an organization that distributes CVE-ID numbers to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities, without directly involving MITRE in the details of the specific vulnerabilities.

Information about CVE-ID reservation, role and requirements of CNAs, vendor liaisons, researcher responsibilities, and the process for requesting CVE-ID numbers, on the CVE Numbering Authority (CNA) page in the CVE List section.

Organizations wishing to become a CNA should first review the information on the CVE Numbering Authority (CNA) page, and then contact us at cve@mitre.org.

A13. How can CVE help me?

A CVE Identifier will give you a standardized identifier for any given vulnerability or exposure. Knowing this identifier will allow you to quickly and accurately access information about the problem across multiple information sources that are CVE-compatible. For example, if you own a security tool whose reports contain references to CVE Identifiers, you may then access fix information in a separate CVE-compatible database. CVE also provides you with a baseline for evaluating the coverage of your tools. With CVE's common names, you'll know exactly what each tool covers allowing you to determine which tools are most effective and appropriate for your organization’s needs.

In addition, if the security advisories your organization receives are CVE-compatible, you can see if your vulnerability scanners check for this threat and then determine whether your intrusion detection system has the appropriate attack signatures to identify attempts to exploit particular vulnerabilities. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-compatible). See Enterprise Security Enabled by CVE for additional information.

A14. How can my organization and I be involved?

Network Security Administrators/Policy and Decision Makers: Adopt CVE-compatible products/services or encourage your vendors to be CVE-compatible to support your enterprise requirements.

Security Vendors/Vulnerability Database Managers/Service Providers: Deliver CVE-compatible tools, databases, or services to your customers for better coverage, easier interoperability, and enhanced security across the enterprise.

Software Venders: Incorporate the use and reservation of CVE Identifiers into your vulnerability handling process so that your customers can work with concise information and leverage the power of vulnerability scanners to verify that updates and fixes have been applied.

A15. Is someone from CVE available to speak or participate on panel discussions at industry-related events, meetings, etc.?

Yes, members of the CVE and the related Making Security Measurable efforts are available to present or participate in panel discussions about CVE and/or other vulnerability management topics. Contact cve@mitre.org for more information and availability.

A16. Does CVE participate in link exchange arrangements?

No, CVE does not exchange links with other Web sites. Only authorized links are allowed on the CVE Web site such as references for CVE Identifiers and those for CVE-Compatible Products and Services, CVE Editorial Board Members, CVE Sponsors, and News about CVE.

B. CVE List

B1. What is a CVE Identifier?

CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.

Each CVE Identifier includes the following:

  • CVE identifier number (i.e., "CVE-1999-0067").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers. See About CVE Identifiers for additional information.

IMPORTANT: CVE-ID Syntax Change takes effect on January 1, 2014.

B2. How can I obtain a CVE Identifier?

See Request a CVE Identifier.

B3. Are there references available for CVE Identifiers?

Each CVE Identifier includes appropriate references. The CVE Web site also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE entries. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's Web site, and (3) notes the associated CVE Identifier.

B4. Are there release versions of the CVE List?

As new CVE Identifiers are now added to the CVE Web site on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List Master Copy page. The CVE Versions Archive page provides an archive of old CVE versions, the last of which was issued in 2006.

B5. Does CVE have an RSS Feed (XML)?

CVE itself does not currently offer an RSS feed, however, the U.S. National Vulnerability Database (NVD) provides an RSS feed of all fully analyzed CVE Identifiers, which includes the names of the vulnerable products in the headers.

In addition, CVE Change Logs a free tool from CERIAS/Purdue University allows users to obtain daily or monthly changes to CVE Identifiers.

B6. Does CVE have a procedure for determining how to assign CVE Identifiers to newly discovered vulnerabilities?

Yes. CVE editorial policies, or "content decisions" (CDs), are the criteria and consistency rules that determine (1) what security issues become CVE Identifiers on the CVE List, and (2) how we distinguish between similar or security related issues.

Generally, the CVE approach is to create separate CVE Identifiers for:

  • Vulnerabilities of different types
  • Vulnerabilities of the same type that appear in different versions
  • Vulnerabilities that appear in different codebases (i.e., "by vendor;" however, this also includes vendors who share the same code such as Linux/Unix vendors)

See CVE Editorial Policies for a detailed description and examples of this process.

B7. How can I find out when new CVE Identifiers are added to the CVE Web site?

A free tool from CERIAS/Purdue University monitors changes to the CVE List. "CVE Change Logs" allows you to obtain daily or monthly changes to the list. The tool is a feature of CERIAS’ Cassandra incident response database service, which is listed on the CVE-Compatible Products and Services page.

In addition, you may search for recently assigned CVE Identifiers in the U.S. National Vulnerability Database (NVD).

B8. Why did CVE retire the term CVE "candidates"?

When the CVE Initiative first began in 1999 and vulnerabilities were discovered and published less frequently than they are today, CVE Identifiers were issued "candidate" or "entry" status, where candidate status indicated that the identifier was under review for inclusion on the CVE List and entry status indicated that the identifier has been formally accepted to the list. CVE Identifiers with candidate status used the CAN-prefix (e.g., "CAN-1999-0067"), while CVE Identifiers with entry status used the CVE-prefix (e.g., "CVE-1999-0067"). This meant that the individual identifier numbers themselves would need to be changed once a candidate had been updated to entry status, placing a significant burden on the numerous vendors and organizations around the world that would in turn need to update their tools and processes to accommodate the replacement identifier numbers. This became especially burdensome as the volume of vulnerabilities being discovered and added to the CVE List increased dramatically each year (CVE Identifiers are now added to the CVE Web site on a daily basis). Therefore, at the request of the community, as of 2005 all CVE Identifiers now use the CVE-prefix and are immediately usable by the community. While references and other supporting information may be updated over time, the CVE Identifier number itself does not change once it has been assigned to an issue.

B9. What is the relationship between the CVE List and the National Vulnerability Database (NVD)?

The CVE List feeds the U.S. National Vulnerability Database (NVD), which then builds upon the information included in CVE entries to provide enhanced information for each CVE Identifier such as fix information, severity scores, and impact ratings. NVD also provides advanced searching features such as by individual CVE-ID; by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

B10. How are the CVE Identifier descriptions created or compiled?

The "Description" portion of CVE Identifiers (CVE-IDs) are written by MITRE’s CVE Content Team, who analyze public, third-party reports of vulnerabilities (i.e., "references"); extract the relevant information from each reference; resolve any conflicting information or inconsistent usage of terminology; and then write the description following the established CVE style (not publicly documented) that attempts to include the relevant details that are most useful to help users to (1) find a CVE for a vulnerability that they need, and/or (2) distinguish between similar-looking vulnerabilities.

Whenever possible, the description includes details such as the name of the affected product and vendor, a summary of affected versions, the vulnerability type, the impact, the access that an attacker requires to exploit the vulnerability, and the important code components or inputs that are involved. However, since this information is not always publicly available, not all descriptions will include all of these details.

B11. What does "Date Entry Created" signify in a CVE Identifier?

The "Date Entry Created" date in a CVE Identifier (CVE-ID) indicates when the CVE-ID was issued to a CVE Numbering Authority (CNA) or published on the CVE List.

This date does not indicate when the vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. That information may or may not be included in the description or references of a CVE-ID, or in the enhanced information for the CVE-ID that is provided in the U.S. National Vulnerability Database (NVD).

B12. How can I update existing information or add new information to a CVE Identifier description or reference?

Updated references and/or fix information in the form of references, modifications to the description of the affected versions change, and/or other suggested description corrections for a CVE Identifier (CVE-ID) can be submitted to cve@mitre.org for consideration by the CVE Content Team. Please indicate the specific CVE-ID, your requested changes, and if available, any URLs for public statements that you have made regarding the issue.

If you wish to make a specific vendor statement, you can use the U.S. National Vulnerability Database (NVD) "Vendor Comments" feature at http://nvd.nist.gov for a specific CVE-ID.

C. Using CVE

C1. How do I search CVE?

There are three ways to obtain CVE data: View CVE, Download CVE, or Search CVE.

  • The View option will provide an HTML formatted listing of the current version of the CVE List. The top of the HTML listing will have a heading in the following format: CVE (version 19990929). This indicates it is a listing of all entries in CVE as of the version date, which is in the format "YearMonthDay."
  • The Download option will allow you to download the entire CVE List in various formats: (HTML, Text, or comma separated).
  • The Search option allows you to search CVE by keywords or by CVE Identifier.

Refer to the CVE List section for more information. You may also search the U.S. National Vulnerability Database (NVD) for enhanced information on CVEs.

C2. I don't understand these entries. What’s a "buffer overflow" anyway?

CVE is intended for use by security experts, so it assumes a certain level of knowledge. It is intentionally designed to be as compact and concise as possible. Other sources of information (such as CVE-compatible Web sites and training resources) would be more appropriate for learning about vulnerabilities and exposures.

C3. I searched CVE and I got two results back. How can I tell which is the one I want?

While the description for a CVE Identifiers should be able to uniquely identify a vulnerability or exposure, they are intentionally brief, and in some instances you may need to rely on the accompanying references to make a determination. When this occurs it is either because not enough details about the problem were originally provided, because the description includes unique details that you may not be familiar with, or because of an error in the description itself. In addition to referring to the references, you could also search through CVE-compatible sites by specifying the CVE Identifiers that you are uncertain about.

Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.

C4. Can I search CVE by operating system?

The CVE search was designed to help identify specific vulnerabilities and exposures, and not to find sets of problems that share common attributes such as operating systems. Therefore, you should not search CVE by operating system because your results will be incomplete.

Note: The U.S. National Vulnerability Database (NVD), which is based upon and synchronized with the identifiers on the CVE List, is searchable by operating system.

C5. Why doesn’t CVE include fix information, impact, classification, or other important technical details?

This information can already be found in numerous vulnerability Web sites, databases, and security tool databases. CVE doesn’t have this information because CVE is intended to link these different vulnerability capabilities, not to replace them.

Note: The U.S. National Vulnerability Database (NVD) provides fix and other information for identifiers on the CVE List.

C6. Why doesn't CVE use a taxonomy?

Developing a universally applicable taxonomy for vulnerabilities is an ongoing area of research. One goal of CVE is to capture community agreement. The enumeration and categorization of vulnerabilities are different (albeit related) efforts. The effort of building and populating the CVE List may facilitate further advances in the study of vulnerability taxonomies.

C7. Can’t hackers use this to break into my network?

Any public discussion of vulnerability information may help a hacker. However, there are several reasons why the benefits of CVE outweigh its risks:

  • CVE is restricted to publicly known vulnerabilities and exposures.
  • For a variety of reasons, sharing information is more difficult within the information security community than it is for hackers.
  • It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.
  • There is a shift in community opinion towards sharing information, as reflected in the fact that the CVE Editorial Board includes key organizations in information security.

C8. Someone has hacked into my Web site. Can CVE help me recover?

CVE cannot help you to determine precisely what vulnerability an attacker may have exploited to obtain unauthorized access. But once you determine what vulnerability was exploited, you could find the CVE Identifier and use it to examine CVE-compatible information sources in order to obtain fix information, technical details, and other information that will be helpful to you.

C9. How can CVE help me protect my network?

By using the CVE Identifier for a particular vulnerability or exposure, you will be able to quickly and accurately obtain information from a variety of CVE-compatible information sources. By facilitating better comparisons between different security tools and services, CVE can help you make a better choice as to which of these capabilities are appropriate for your needs. You may also be able to create a suite of interoperable security tools and capabilities from multiple vendors, if those tools and capabilities incorporate CVE as a translation mechanism.

Using CVE-Compatible Products and Services will allow you to improve how your organization responds to security advisories. If the advisory is CVE-compatible, you can see if your scanners or security service checks for this threat and then determine whether your intrusion detection system has the appropriate attack signatures. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-compatible).

Other indirect benefits may also arise from CVE. For example, it facilitates better research on vulnerabilities and exposures. See Enterprise Security Enabled by CVE for additional information.

C10. How will CVE help me compare security tools?

With CVE, your vulnerability databases, services, and tools can "speak" to each other. Until the creation of CVE in 1999 it was very difficult to effectively decide which tool was the most appropriate for an organization's needs. Each vendor used a different definition of "vulnerability" or "exposure" and used different metrics to state how many vulnerabilities or exposures they "check" or "test." CVE provides vendors with a standard list they can compare to, thus allowing you to compare apples to apples. In the longer term, CVE may be useful for obtaining quantitative data on tool behaviors, such as how they perform their checks, the impact they have on the systems they examine, the rate of false positives or false negatives, or how quickly they update their tools when new entries are introduced into CVE.

C11. Can I include CVE Identifiers in my product/database/security advisory/etc.?

Yes, CVE is free to use. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE Identifier pages from your Web site, product, publication, or other capability. In addition, CVE Identifiers are already being included in a number of security advisories (see the Organizations with CVE Identifiers in Advisories page), and numerous companies and organizations are making their information security products CVE-compatible. Visit the CVE-Compatible Products and Services page for the most current information regarding the types and availability of CVE-compatible products and services.

C12. How can I get a copy of CVE?

CVE is freely available for download, or you may search or view CVE on the Web site. The Download option allows you to download the entire CVE in various formats: XML, HTML, Text, or comma separated. Refer to the CVE List section for more information.

C13. Is CVE content available in Common Vulnerability Reporting Framework (CVRF) format?

Yes, CVE content can be downloaded in Common Vulnerability Reporting Framework (CVRF) format on the Download CVE page. A single download of all CVE entries in CVRF format is available, as are downloads for individual calendar years in CVRF format such as 2013, etc.

CVRF, developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation. CVRF is currently used by major vendors, including Cisco Systems, Inc., Oracle Corporation, Microsoft Corporation, and Red Hat, Inc., which issue their security advisories in CVRF format.

Visit the CVE Usage of CVRF page to learn more, or the Download CVE page to access CVE content in CVRF format.

C14. Are CVE-IDs mapped to IAVAs?

Yes, CVE-IDs are mapped to the U.S. Defense Information System Agency's (DISA) Information Assurance Vulnerability Alerts (IAVAs). Mapping downloads are available in XML and XLS format on DISA's public Security Technical Implementation Guides (STIG) Web site at http://iase.disa.mil/stigs/iavm-cve.html.

D. CVE Compatibility

D1. What does it mean to be "CVE-compatible"?

"CVE-compatible" means that a tool, Web site, database, or other security product or service uses CVE Identifiers in a manner that allows it to be cross-referenced with other products that employ CVE Identifiers. CVE-compatible means:

  • CVE SEARCHABLE - A user can search using a CVE Identifier to find related information.
  • CVE OUTPUT - Information is presented that includes the related CVE Identifier(s).
  • MAPPING - The repository owner has provided a mapping relative to a specific version of CVE, and has made a good faith effort to ensure accuracy of that mapping.
  • DOCUMENTATION - The organization's standard documentation includes a description of CVE, CVE compatibility, and the details of how its customers can use the CVE-related functionality of its product or service.

Different tools provide different coverage/cross-referencing of CVE Identifiers (e.g., some tools might cover Unix, while others cover Windows). You will need to evaluate any CVE-compatible products and services based upon your organization’s specific requirements. Visit the CVE-Compatible Products and Services page for the most current information regarding the types and availability of CVE-compatible products and services.

D2. How can my product or service be made CVE-Compatible?

See "Requirements and Recommendations for CVE Compatibility" for detailed information.

D3. Can my organization register our product or service as CVE-Compatible?

Any organization with a security product or service that uses CVE Identifiers in a way that allows it to cross-link with other products or services that use CVE Identifiers may request to register as CVE-compatible. The organization will need fulfill the conditions listed in the "CVE Compatibility Process," which includes two phases: (1) the Declaration Phase in which the organization declares its intent to make its product(s) and/or service(s) CVE-compatible; and (2) the Evaluation Phase, which requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the "Requirements and Recommendations for CVE Compatibility" document. An organization must complete phase 1 before being eligible for phase 2. Organizations that successfully complete the second phase will be included in a branding program that offers an official CVE-Compatible Product/Service logo to indicate compatibility, among other benefits.

To begin the registration process, review the official CVE Compatibility Process then send an email to cve@mitre.org with your company name and contact information, the type of product, and the name of the product or service.

D4. Do security advisories and vendor alerts incorporate CVE Identifiers? How can this help me?

Yes, numerous organizations incorporate CVE Identifiers in their advisories and alerts. If an advisory is CVE-compatible, you can see if your CVE-compatible scanners check for this threat and then determine whether your CVE-compatible intrusion detection system has the appropriate attack signatures. If your software vendor uses CVE Identifiers in their security advisories you can use CVE-compatible vulnerability scanners to check whether the fixes have been applied. Finally, if you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-compatible).

E. CVE Community

E1. Who is the CVE Editorial Board?

The CVE Editorial Board includes representatives from numerous security-related organizations such as security tool vendors, security service providers, academic institutions, and government, as well as other prominent security experts. Refer to the CVE Editorial Board page for a complete list of member organizations.

E2. What is MITRE’s role in CVE?

The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Editorial Board, conducts community outreach activities, maintains the CVE Web site, manages the CVE Compatibility program, and provides neutral guidance throughout the process to ensure that CVE serves the public interest.

In partnership with government clients, The MITRE Corporation is a not-for-profit corporation working in the public interest. It addresses issues of critical national importance, combining systems engineering and information technology to develop innovative solutions that make a difference.

MITRE’s work is focused within Federally Funded Research and Development Centers (FFRDCs) for the: Department of Defense, Federal Aviation Administration, Internal Revenue Service and Department of Veterans Affairs, Department of Homeland Security, Administrative Office of the U.S. Courts, and the Centers for Medicare and Medicaid Services.

E3. Why is MITRE maintaining CVE, and how long does MITRE plan to maintain it?

In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort. MITRE will maintain CVE as long as it serves the community to do so.

E4. Who pays for CVE? Who are the Sponsors?

Current and past sponsors are listed on the Sponsors page. Also see E5. What is the relationship between CVE and DHS?

E5. What is the relationship between CVE and DHS?

CVE is sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. MITRE, operating as DHS's Federally Funded Research and Development Center (FFRDC), manages this CVE Web site, the compatibility program, the CVE Editorial Board, and community engagement to enable open and public collaboration with all stakeholders. In addition, US-CERT which is part of DHS, incorporates CVE Identifiers into its security advisories whenever possible and advocates the use of CVE and CVE-Compatible products and services to the U.S. government and all members of the information security community.

F. CVE-ID Syntax Change

F1. Why is the CVE-ID Syntax changing? Why is it important?

The CVE Identifier (CVE-ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year. Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project needed to change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year.

The new CVE-ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.

Also see the CVE-ID Syntax Change, Technical Guidance for Handling the New CVE-ID Syntax, and Organizations Compliant with the New CVE-ID Syntax pages in the CVE List section.

F2. When did the CVE-ID Syntax Change take effect?

The new syntax for CVE Identifiers took effect on January 1, 2014. However, a CVE-ID number using the new syntax will be issued either before the end of 2014 and no later than Tuesday, January 13, 2015. Organizations that use CVE-IDs that have not already done so need to take action now to ensure their products, tools, websites, and processes continue to work properly once CVE-ID numbers with 5 digits are issued. Read our press release.

Please note that the new syntax, which uses variable length arbitrary digits, will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year. See F3. What is the new CVE-ID Syntax? for details.

F3. What is the new CVE-ID Syntax?

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

NOTE: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.

An infographic explaining the Current (i.e., "old") CVE-ID Syntax versus the New CVE-ID Syntax implemented on January 1, 2014 is included below.

CVE-ID Syntax Change

Please feel free to re-post this infographic, provided none of the information is altered. The infographic is available in the following formats: PNG, GIF, and EPS.

F4. What are some examples of the new CVE-ID Syntax?

Examples of identifiers in the new CVE-ID syntax are included below. Note that the arbitrary digits may be expanded from 4 digits when needed, but only IDs with up to 7 digits are shown below to help explain the new syntax. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.

IDs with 4 digits IDs with 5 digits (when needed) IDs with 6 digits (when needed) IDs with 7 digits (when needed)
CVE-2014-0001 CVE-2014-10000 CVE-2014-100000 CVE-2014-1000000
CVE-2014-3127 CVE-2014-54321 CVE-2014-456132 CVE-2014-7654321
CVE-2014-9999 CVE-2014-99999 CVE-2014-999999 CVE-2014-9999999

NOTE: Some of the CVE-ID examples above have not yet been assigned.

F5. Will older already assigned CVE-IDs need to be updated to the new syntax?

No, all previously assigned CVE-IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE-ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.

F6. How will the CVE-ID Syntax Change affect me? What should I do to prepare?

The CVE-ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:

  • Output Format — CVE-IDs can be more than 13 characters wide (the length of a 4-digit CVE-ID), which could affect how CVEs are stored and presented in table columns, web pages, reports, databases, data feeds, XML documents, or other formats.
  • Input Format — Mechanisms that directly accept CVE IDs as input, such as a search routine or data feed, may need to be modified to accept the longer IDs. For example, an input routine might incorrectly report an error if it receives a CVE-ID with 5 digits.
  • Extraction or Parsing — Automated processes that detect the use of CVE-IDs in unstructured text, e.g., a vulnerability advisory, might need to be modified to remove the 4-digit assumption.

End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE-ID syntax.

For technical guidance and test data regarding tools, web sites, and other capabilities that use CVE-IDs, please see the Technical Guidance for Handling the New CVE-ID Syntax page.

Please note that the set of categories of action above is neither complete nor authoritative, and this may guidance grow in the coming months so please check back often. In the meantime, if you have suggestions for this list, please contact us at cve-id-change@mitre.org.

F7. How was the new CVE-ID syntax determined?

Following periods of public feedback and discussion, the new CVE-ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.

Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).

In the second vote the CVE Editorial Board selected "Option B, CVE prefix + Year + Arbitrary Digits" with 15 of the 18 votes cast.

Detailed discussions and votes by the CVE Editorial Board are included in the CVE Editorial Board Discussion Archive — June 2013, CVE Editorial Board Discussion Archive — April 2013 and CVE Editorial Board Discussion Archive — May 2013 discussion archives.

F8. Is there more detailed information available about the CVE-ID Syntax Change?

Yes, links to the additional information are included below.

News page articles

F9. May I repost the CVE-ID Syntax Change infographic on my website and/or on social media?

Yes, we would like the syntax change announcement to have the widest possible audience. Please feel-free to re-post the "CVE-ID Syntax Change Infographic" included in the answer to question "F3. What is the new CVE-ID Syntax?" as you wish, provided none of the information is altered. Preferably the image would also link back to the http://cve.mitre.org/cve/identifiers/syntaxchange.html page on the CVE Web site.

The infographic is available for download in the following formats: PNG, GIF, and EPS.

Please send any questions about the infographic to cve-id-change@mitre.org.

F10. Is technical guidance and/or test data available for handling the new CVE-ID syntax?

Yes, for technical guidance and test data for developers and consumers for tools, web sites, and other capabilities that use CVE Identifiers (CVE-IDs), please see the Technical Guidance for Handling the New CVE-ID Syntax page.

F11. I have a follow-up question about the CVE-ID Syntax Change that is not answered here, how do I contact the CVE Team?

Please send any additional questions to cve-id-change@mitre.org.

F12. Why has CVE not yet published a 5-digit CVE-ID? Is there a deadline for when one will be published?

A 5-digit CVE-ID has not yet been published this calendar year because we want to give all CVE users as much notice as possible beforehand, so that we can minimize the amount of confusion and breakage that can occur.

As soon as a 5-digit CVE-ID is released, this could cause many products and processes to break — not just for vendors, but for end users. Because CVE is so widely used, we cannot be certain how widespread the impact will be once the first 5-digit CVE-ID is published. Also, many software products have release cycles that could take six months or more to fix any CVE-ID-related bugs. If we need more than 9,999 CVE-IDs in 2014, we will follow the new syntax and start using 5-digit CVE-IDs.

However, if we are not required to move to the new syntax before the end of 2014, we will ensure that we issue at least one 5-digit CVE-ID is issued by January 13, 2015 — after we have done our due diligence in reaching out to CVE consumers and vendors everywhere. Read our press release.

 
Page Last Updated: September 30, 2014