CVE Data Sources and Coverage

Current data sources, product coverage, and coverage goals for CVE are noted below. A list of past data sources has been archived for informational purposes.

CVE Coverage Goals

CVE's coverage goals are stated in terms of sources of information (e.g., websites, vendor advisories, vulnerability databases) and products (e.g., Microsoft Office, Red Hat Enterprise Linux).


CVE separates sources into two major groups: (1) "Full Coverage," for those that should be fully covered; and (2) "Partial Coverage," for those that should be partially covered.

Full Coverage

For nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. Although a source is named as Full Coverage, we purposely use the phrasing “nearly all issues disclosed” to allow the flexibility to potentially postpone coverage of minor issues.

Partial Coverage

The source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments.

As a bridge to the product coverage goals (see Products below), we further sub-divide each of these lists into two sub-lists:

  • Vendor - meaning the source can be associated with a vendor or primary maintainer of a product or set of products.
  • Other - a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors.

NOTE:  MITRE actively monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings, and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically.

Full Coverage Sources - Vendor Related

  • Adobe
  • Apache Software Foundation: Apache HTTP Server
  • Apple
  • Attachmate: Novell
  • Attachmate: SUSE
  • Blue Coat -
  • CA -
  • Check Point: Security Gateways product line (
  • Cisco: Security Advisories/Responses
  • Citrix -
  • Debian
  • Dell Desktop/Notebook product lines
  • Dell SonicWALL Network Security product line - Service Bulletins
  • EMC, as published through Bugtraq
  • F5 -
  • Fortinet FortiGate product line (
  • Fujitsu Desktop/Notebook product lines
  • Google: Google Chrome (includes WebKit)
  • HP: Security Bulletins
  • IBM: issues in IBM ISS X-Force Database
  • Internet Systems Consortium (ISC)
  • Juniper: (JunOS?)
  • Lenovo Desktop/Notebook product lines
  • McAfee -
  • Microsoft: Security Bulletins/Advisories
  • MIT Kerberos
  • Mozilla
  • OpenSSH
  • OpenSSL
  • Oracle: Critical Patch Updates
  • RealNetworks (
  • Red Hat
  • RIM/BlackBerry-
  • Samba Security Updates and Information
  • SAP -
  • Sendmail
  • Sophos -
  • Symantec: Security Advisories
  • Ubuntu (Linux)
  • VMware
  • Websense -

Full Coverage Sources - Other

  • HP: TippingPoint DVLabs
  • HP: TippingPoint Zero Day Initiative
  • MITRE CNA open-source requests
  • US-CERT: Technical Cyber Security Alerts
  • VeriSign iDefense

Partial Coverage Sources - Vendor Related

  • Android (associated with Google or Open Handset Alliance)
  • Apache Software Foundation: Apache Tomcat
  • Apache Software Foundation: other
  • CentOS
  • Check Point:
  • Cisco: Release Note Enclosures (RNE)
  • Drupal
  • Fedora
  • FoxIt Support Center - Security Advisories
  • FreeBSD
  • Gentoo (Linux)
  • Google: other (not Chrome or Android)
  • IBM ISS X-Force for non-IBM products
  • IBM: issues not in IBM ISS X-Force Database
  • Joomla!
  • Juniper - JTAC Technical Bulletins
  • (Linux kernel)
  • Mandriva
  • NetBSD
  • OpenBSD
  • PHP core language interpreter
  • SCO
  • TYPO3
  • WordPress

Partial Coverage Sources - Other

  • The VIM (Vulnerability Information Managers) mailing list:
  • AusCERT
  • Core Security CoreLabs
  • DOE JC3 (formerly DOE CIRC and CIAC)
  • Full Disclosure mailing list
  • HP: TippingPoint Pwn2Own
  • Exploit Database:
  • Juniper: J-Security Center - Threats and Vulnerabilities
  • Microsoft: Vulnerability Research (MSVR)
  • oss-security mailing list
  • Open Sourced Vulnerability Database (OSVDB)
  • Packet Storm
  • Rapid7 Metasploit
  • Secunia
  • SecuriTeam
  • SecurityTracker
  • Symantec: SecurityFocus BugTraq (
  • Symantec: SecurityFocus Bugtraq ID (
  • United Kingdom CPNI (formerly NISCC)
  • US-CERT: Vulnerability Notes


All products listed are considered to be "must have." This means that we will ensure that a CVE-ID is issued for any public disclosure for the product provided that the following two provisions are met:

  1. The disclosure is publicly associated with the product with a reasonably recognizable variant of the product name (we are not going to entirely solve the product identification problem).
  2. The disclosure is published in at least one source that is listed as either "full coverage" or "partial coverage," per the list of sources above.

Must-Have Products

The products listed below are stated as "vendor: product name" where the product name may be a specific product, set of products, or "all."

  • Adobe: all
  • Apache Software Foundation: all
  • Apple: all
  • Attachmate: Novell
  • Attachmate: SUSE
  • Blue Coat: all
  • CA: all
  • Check Point: Security Gateways product line
  • Cisco: all
  • Citrix -
  • Debian: all
  • Dell: Desktop/Notebook product lines
  • Dell: SonicWALL Network Security product line
  • EMC: all
  • F5: all
  • Fortinet: FortiGate product line
  • Fujitsu: Desktop/Notebook product lines
  • Google: Google Chrome (includes WebKit)
  • HP: all
  • IBM: all
  • Internet Systems Consortium (ISC): Bind
  • Juniper: all
  • Linux kernel
  • Lenovo: Desktop/Notebook product lines
  • McAfee: all
  • Microsoft: all
  • MIT Kerberos: all
  • Mozilla: all
  • MySQL: all
  • OpenLDAP: all
  • OpenSSH: all
  • OpenSSL: all
  • Oracle: all
  • PHP: core language interpreter
  • RealNetworks:all
  • Red Hat: all
  • RIM/BlackBerry: all
  • Samba: all
  • SAP: all
  • Sendmail: all
  • Sophos: all
  • Symantec: all
  • Ubuntu: all
  • VMware: all
  • Websense: all
Page Last Updated: March 10, 2016