CVE - Handling Duplicate Public CVE Identifiers

About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE List

Data Updates & RSS Feeds
Reference Key/Maps
Data Sources
Versions
Search Tips
Editor's Commentary
Obtain a CVE Identifier
Editorial Policies
About CVE Identifiers

Items of Interest

Terminology
NVD

Handling Duplicate Public CVE Identifiers

Introduction | Criteria for Selecting the Preferred Identifier | Annotating Duplicate Identifiers | Additional Information

Introduction

As more vendors, researchers, and coordinators use CVE Identifiers in initial public vulnerability announcements, the risk of multiple assignments of the same CVE identifier increases. While all involved parties should coordinate on the CVE name for an issue, errors still occasionally occur, especially if one party does not normally use CVE. For that reason, when duplicate identifiers are made public, the Primary Candidate Numbering Authority (i.e., MITRE Corporation) must be consulted to choose the proper candidate to use.

Criteria for Selecting the Preferred Identifier

MITRE uses the following criteria to select which identifier will be associated with the issue:

PREFER THE MOST COMMONLY REFERENCED IDENTIFIER. This is roughly gauged by searching for all affected identifiers on a search engine and comparing results.
If the usage numbers of identifiers are about the same, then CHOOSE THE IDENTIFIER USED BY THE MOST AUTHORITATIVE SOURCE. The "most authoritative source" is roughly prioritized as: vendor, coordinator, researcher.
If the identifiers have the same level of authority, then CHOOSE THE IDENTIFIER THAT HAS BEEN PUBLIC FOR THE LONGEST PERIOD OF TIME.
If the identifiers have been public for the same amount of time, then CHOOSE THE IDENTIFIER WITH THE SMALLEST NUMERIC PORTION.

NOTE: The criteria are roughly prioritized and are still evolving.

Annotating Duplicate Identifiers

Once the preferred identifier has been selected by MITRE, MITRE will modify the descriptions of all other identifiers and reference the preferred identifier.

Additional Information

For more information see About CVE Identifiers or contact the CVE Editor at cve@mitre.org with any comments or concerns.

Page Last Updated: May 21, 2007