CVE - About CVE Identifiers

About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE List

Data Updates & RSS Feeds
Reference Key/Maps
Data Sources
Versions
Search Tips
Editor's Commentary
Obtain a CVE Identifier
Editorial Policies
About CVE Identifiers

Items of Interest

Terminology
NVD

About CVE Identifiers

CVE Identifiers Defined | Creation of a CVE Identifier | Additional Information

CVE Identifiers Defined

CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have "entry" or "candidate" status. Entry status indicates that the CVE Identifier has been accepted to the CVE List while candidate status (also called "candidates," "candidate numbers," or "CANs") indicates that the identifier is under review for inclusion in the list.


	Each CVE Identifier includes the following: CVE Identifier number (i.e., "CVE-1999-0067"). Indication of "entry" or "candidate" status. Brief description of the security vulnerability or exposure. Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

Creation of a CVE Identifier

The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE candidate number by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and proposed to the Board by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA The CVE Editorial Board discusses the candidate and votes on whether or not it should become a CVE entry. If the candidate is rejected, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the candidate is accepted, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.

The documents below explain CVE Identifiers and the creation of identifiers in more detail:

How We Build the CVE List

A description of the three stages of the process of building the CVE List: (1) the Initial Submission Stage, (2) Candidate Stage, and (3) Entry Stage. Also included is a description of the procedures for modifications and deletions in the CVE List.

CVE Candidates Explained

This document includes a full discussion of CVE identifiers with "candidate" status, also called candidates, candidate numbers, and CANs, including what a candidate is, the two ways new security issues become candidates, how long it takes for candidates to be moved from candidate to entry status, how candidates are affected by CVE content decisions, and how users can find out about the most recent candidates.

CVE Editorial Policies

CVE Editorial Policies, also Content Decisions (CDs), are the guidelines the CVE Content Team uses to ensure that CVE identifiers are created in a consistent fashion, independent of who is doing the creation. This page is a central location of information about, and related to, CDs including the following: Editorial Policies Overview; CVE Abstraction Content Decisions: Rationale and Application; and Handling Duplicate Public CVE Identifiers.

CVE References

Each CVE identifier includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's Web site, and (3) notes the associated CVE Identifier. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE entries and candidates.

CVE Data Sources

A list of the organizations from the information security community that provide us with vulnerability information that helps MITRE create new CVE candidates.

CVE Versions

New CVE versions are created approximately once per quarter. When they are released Version Reports are also made available that list the differences between versions. This page also includes a description of the various versions of CVE that have been released.

Additional Information

Candidate Numbering Authorities

Lists the several organizations currently participating as Candidate Numbering Authorities (CNAs). Includes an introduction to the candidate reservation process; defines CNAs and provides the requirements for being a CNA, describes CNA tasks, and explains the communication requirements from the CNA to MITRE; defines the role of vendor liaisons, and explains the researcher's responsibilities in the process.

Obtain a CVE Identifier

Describes how to obtain a CVE Identifier number from a CNA, or alternatively, the Primary CNA. Includes instructions for requesting the CVE Initiative's "CVE Candidate Reservation Guidelines for Researchers" and a link to our list of Researcher Responsibilities.

FAQs

FAQs from the Frequently Asked Questions page in the About CVE section also address specific questions about CVE Identifiers, including "Does every CVE entry start as a candidate?" and "How long does it take for a candidate to become a CVE entry?" among others.

Page Last Updated: July 17, 2007