CVE - CVE in Use

Items of Interest

CVE in Use

As the international industry standard for information security vulnerability and exposure names, CVE Identifiers are included in numerous products and services and are the foundation of others. CVE also helps in Making Security Measurable.

CVE-COMPATIBLE PRODUCTS

Use of CVE-IDs enhances these areas of enterprise security:

Sponsor: CS&C

National Vulnerability Database

National Vulnerability Database (NVD) provides:

Fix information for CVE-IDs
SCAP Mappings for CVE-IDs
NVD Advanced Search
(by individual CVE-ID; by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact)

Sponsor: CS&C

GOVERNMENT

US-CERT Bulletins

Uses CVE-IDs to uniquely identify the vulnerabilities they report.

U.S. Government Agencies

National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two 2002 Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" & "800-40: Procedures for Handling Security Patches."

Security Content Automation Protocol (SCAP)

CVE is one of ten existing standards the U.S. National Institute of Standards and Technology’s (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.

DISA Information Assurance Vulnerability Alerts

CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA’s public Security Technical Implementation Guides (STIG) Web site.

DoD Contracts

U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.

COMMUNITY

CVE Numbering Authorities (CNAs)

Community members such as OS and software vendors, third-party coordinators, and researchers authorized to assign CVE-IDs to new issues.

Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)

CVE was adopted by the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group’s as a part of its "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing the X.CVE recommendation above that is based upon CVE’s current Compatibility Requirements document, and any future changes to those will be reflected in subsequent updates to X.CVE

Common Weakness Enumeration (CWE™)

A formal dictionary of software weaknesses types, CWE is based in part on the CVE List.

Sponsor: CS&C

Open Vulnerability and Assessment Language (OVAL®)

A standard for determining vulnerability and configuration issues on computer systems, CVE-IDs are the primary references for "OVAL Vulnerability Definitions," which test systems for the presence of CVEs.

Sponsor: CS&C

Page Last Updated: May 16, 2013