CVE-ID Syntax Change
Summary | New CVE-ID Syntax | How to Prepare | Technical Guidance and Test Data | Background | Q&A | Help
CVE has a new ID numbering format for CVE Identifiers (i.e., CVE-IDs) that requires organizations to take action to ensure their products, tools, websites, and processes continue to work properly once CVE-ID numbers are issued using the new syntax before the end of 2014 and no later than Tuesday, January 13, 2015. Read the press release.
Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE-ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE-ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.
Implementation Date Deadline
The CVE-ID Syntax Change took effect on January 1, 2014.
BE PREPARED: A CVE-ID number using the new syntax could be issued before the end of 2014, but if not we will ensure that at least one 5-digit CVE-ID is issued by January 13, 2015.
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary DigitsIMPORTANT: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.
Examples of identifiers in the new CVE-ID syntax are included below. Note that the arbitrary digits may be expanded from 4 digits when needed, but only IDs with up to 7 digits are shown below to help explain the new syntax. There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below.
NOTE: Some of the CVE-ID examples above have not yet been assigned.
Status of Previously Assigned CVE-IDs
All previously assigned CVE-IDs will remain as-is and will not be changed in any way as they already adhere to the new CVE-ID syntax because they include the CVE prefix + Year + 4 Arbitrary Digits (CVE-YYYY-NNNN), for example, CVE-1999-0067.
The CVE-ID syntax change will affect all users of CVE. Every type of CVE consumer, whether a vendor, CVE Numbering Authority (CNA), researcher, end user, etc., will need to consider the syntax change for the following CVE-related actions:
End users should ask your vendors and/or service providers if they have updated, or when they are planning to update, their products/services to the new CVE-ID syntax.
Please note that the set of categories of action above is neither complete nor authoritative, and this may guidance grow in the coming months so please check back often. In the meantime, if you have suggestions for this list, please contact us at firstname.lastname@example.org.
For technical guidance and test data for developers and consumers for tools, web sites, and other capabilities that use CVE Identifiers (CVE-IDs), please see the following:
New CVE-ID Syntax Determined by CVE Editorial Board
Following periods of public feedback and discussion, the new CVE-ID syntax was determined in a final vote by the CVE Editorial Board in May 2013, details of which are available in the CVE Editorial Board Discussion List Archives.
Two rounds of voting were required, as the initial vote held by the Board in April 2013 among three proposed options resulted in a tie between the two of the options (learn more about the original three options). A second vote was then held in May 2013 with only two options, a slightly modified Option A that extended the available numbering space to 8 fixed digits and the unchanged Option B with variable length digits (learn more about the final two options).
In the second vote the CVE Editorial Board selected "Option B, CVE prefix + Year + Arbitrary Digits" with 15 of the 18 votes cast.
Archived CVE Editorial Board Votes and Discussions
Links to additional information about the syntax change and Board discussion and voting are included below.
News page articles
CVE Editorial Board discussions
The questions below link to answers on the Frequently Asked Questions (FAQs) page of the CVE Web site.
Please address any questions to email@example.com.