Versions Compared

Old Version 7

changes.mady.by.user Garret Wassermann

Saved on

compared with

New Version 8

changes.mady.by.user user-8b192

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is CVE?

CVE stands for Common Vulnerabilities and Exposures, and is referred to as "a dictionary of publicly known information security vulnerabilities and exposures."  It is currently operated by MITRE Corporation under a contract with the U.S. Dept. of Homeland Security.  For more information on CVE and other related FAQ's, please see MITRE's CVE page.

...

NVD and MITRE do not track "every" vulnerability that has ever existed - tracking of vulnerabilities with CVE ID's are only guaranteed for certain vendors.  The CVE team has editorial authority to not include vulnerabilities for a variety of reasons.

How are

...

CVE IDs Used?

Every entry in the CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number, where number is at least a 4 digit number.

...

Effort is made by MITRE and other parties to ensure that CVEs are not duplicated – that is, a specific vulnerability is tracked publicly with only a single CVE ID.

How are CVE IDs Assigned?

MITRE is the primary maintainer of CVE, and therefore the primary assigner for CVE IDs. When a new vulnerability is reported, MITRE researches the vulnerability to determine the details and if the vulnerability has previously been reported by someone else. If the vulnerability appears to be new, then a new CVE ID is assigned to the vulnerability for use in future discussion and communications.

...

The CERT/CC is a more general CNA; while we can assign CVE IDs for most products, we generally do not assign CVE IDs for vulnerabilities in products handled by other CNAs. We are also generally restricted to only assign CVE IDs to vulnerabilities we directly coordinate.

How can I request a CVE ID?

If you believe you have discovered a new vulnerability, you can request a CVE ID in one of a few ways, depending on which software or product contains the vulnerability.

...

  • Contact the vendor that provides the vulnerability product, if the vendor is a CNA. Many vendors have a specific security contact or bug bounty program you can contact, and are CNAs that can assign a CVE ID directly. MITRE provides a list of CNAs.
  • Or, contact MITRE at cve-assign@mitre.org to receive a CVE ID. MITRE also provides more information on contacting CVE, including PGP key.
  • Or, if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance. The best way to contact the CERT/CC is to fill out our Vulnerability Report Form, but you may also email us at cert@cert.org with PGP-encrypted email.

To request a CVE ID when you disclose your vulnerability:

...

In all cases, when requesting a CVE ID, you should include information about the vulnerability and which products and versions are affected. For more information on how to report vulnerabilities and what information to include in your report, see our Guidelines for Requesting Coordination Assistance.

How do I get a CVE dictionary entry updated?

There are two major CVE databases:

...

If you are a vendor and have a comment about something on NVD, contact nvd@nist.gov.

References

Others have written about the CVE process. For example, you may consult the following for more information:

...