GOVERNMENT

US-CERT Bulletins

Uses CVE-IDs to uniquely identify the vulnerabilities they report.

Sponsor: NCSD

U.S. Government Agencies

National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two 2002 Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" & "800-40: Procedures for Handling Security Patches."

Sponsor: NCSD

DISA Information Assurance Vulnerability Alerts

CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA’s public Security Technical Implementation Guides (STIG) Web site.

DoD Contracts

U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.

COMMUNITY

CVE Numbering Authorities (CNAs)

Community members such as OS and software vendors, third-party coordinators, and researchers authorized to assign CVE-IDs to new issues.

SANS Top Cyber Security Risks

Uses CVE-IDs to uniquely identify the vulnerabilities it describes.

Common Weakness Enumeration (CWE™)

A formal dictionary of software weaknesses types, CWE is based in part on the CVE List.

Sponsor: NCSD

Open Vulnerability and Assessment Language (OVAL®)

A standard for determining vulnerability and configuration issues on computer systems, CVE-IDs are the primary references for "OVAL Vulnerability Definitions," which test systems for the presence of CVEs.

Sponsor: NCSD