CVE® International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Widespread Use of CVE
Focus On

Technical Guidance & Test Data Available for Updating to the New CVE-ID Format

The format for CVE-IDs changed at the beginning of 2014 and CVE-IDs which previously could only have four fixed digits at the end, e.g., "CVE-2014-0160", can now accommodate five, six, or more digits at the end. Please note, the total number of CVE-IDs assigned in 2014 has surpassed 9,000, indicating that a CVE-ID number in the new CVE-ID numbering format with 5 digits (e.g., CVE-2014-XXXXX) will be issued no later than Tuesday, January 13, 2015 (read our press release). Organizations that do not update to the new CVE-ID format risk the possibility that their products and services could break or report inaccurate vulnerability identifiers, which could significantly impact users' vulnerability management practices.

To make it easy to update, the CVE Web site provides free technical guidance and CVE test data for developers and consumers to use to verify that their products and services will work correctly. In addition, for those who use National Vulnerability Database (NVD) data, NIST provides test data in NVD format at http://nvd.nist.gov/cve-id-syntax-change.

Comments or concerns about this guidance, and/or the test data, is welcome at cve-id-change@mitre.org.

 
Page Last Updated: December 18, 2014