What is CVE?

CVE stands for Common Vulnerabilities and Exposures, and is referred to as "a dictionary of publicly known information security vulnerabilities and exposures."  It is currently operated by MITRE Corporation under a contract with the U.S. Dept. of Homeland Security.  For more information on CVE and other related FAQ's, please see MITRE's CVE page.

In practice, The National Vulnerability Database (NVD) is a database of publicly-known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.

NVD and MITRE do not track "every" vulnerability that has ever existed - tracking of vulnerabilities with CVE ID's are only guaranteed for certain vendors.  The CVE team has editorial authority to not include vulnerabilities for a variety of reasons.

How are CVE IDs Used?

Every entry in the CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number, where number is at least a 4 digit number.

CVE IDs are assigned to specific vulnerabilities that occur in software. Effectively, this is used as a globally-unique tracking ID for the vulnerability in question. When security researchers are discussing vulnerabilities in a particular version of a software product, it is much more clear to refer to the vulnerability by the CVE ID than by the name and version of the software. Many private sector and government entities also make use of CVE IDs for tracking vulnerability information.  Most vulnerability scanning tools also make use of CVE ID's.

Effort is made by MITRE and other parties to ensure that CVEs are not duplicated – that is, a specific vulnerability is tracked publicly with only a single CVE ID.

How are CVE IDs Assigned?

MITRE is the primary maintainer of CVE, and therefore the primary assigner for CVE IDs. When a new vulnerability is reported, MITRE researches the vulnerability to determine the details and if the vulnerability has previously been reported by someone else. If the vulnerability appears to be new, then a new CVE ID is assigned to the vulnerability for use in future discussion and communications.

However, MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs), meaning these organizations have limited authority on assigning CVE IDs without MITRE's involvement in some circumstances. CNAs are expected to follow the same assignment rules that MITRE follows; this sometimes means that CVE ID assignment decision does not match what you may expect. The CNAs then report the newly-assigned CVE IDs to MITRE, or publish an advisory with the CVE IDs, so that MITRE can include the CNA-assigned CVE IDs in the overall MITRE CVE dictionary.

Generally, large software vendors are CNAs for their own products; for example, Microsoft and Red Hat can assign CVE IDs to vulnerabilities in their own products, and only their own products. MITRE provides a list of CNAs.

The CERT/CC is a more general CNA; while we can assign CVE IDs for most products, we generally do not assign CVE IDs for vulnerabilities in products handled by other CNAs. We are also generally restricted to only assign CVE IDs to vulnerabilities we directly coordinate.

How can I request a CVE ID?

If you believe you have discovered a new vulnerability, you can request a CVE ID in one of a few ways, depending on which software or product contains the vulnerability.

To request a CVE ID if the vulnerability is NOT public:

• Contact the vendor that provides the vulnerability product, if the vendor is a CNA. Many vendors have a specific security contact or bug bounty program you can contact, and are CNAs that can assign a CVE ID directly. MITRE provides a list of CNAs.
• Or, request a CVE directly from MITRE by submitting the form at https://cveform.mitre.org/. MITRE also provides more information on who to contact to receive a CVE ID, including PGP key.
• Or, if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance. The best way to contact the CERT/CC is to fill out our Vulnerability Report Form, but you may also email us at cert@cert.org with PGP-encrypted email.

To request a CVE ID when you disclose your vulnerability:

• Disclose your vulnerability to a security-related mailing list such as Bugtraq or Full Disclosure. MITRE watches these mailing lists and will respond to requests for CVE ID directly.
• Or, request a CVE directly from MITRE by submitting the form at https://cveform.mitre.org/. The CVE form allows you to submit a URL to your publication for reference in the CVE document.

To request a CVE ID If the vulnerability is ALREADY public:

• MITRE is the only source for investigating and assigning a CVE ID for vulnerabilities disclosed publicly. Request a CVE directly from MITRE by submitting the form at https://cveform.mitre.org/. The CVE form allows you to submit a URL to any public references to the vulnerability you find.

In all cases, when requesting a CVE ID, you should include information about the vulnerability and which products and versions are affected. For more information on how to report vulnerabilities and what information to include in your report, see our Guidelines for Requesting Coordination Assistance.

How do I get a CVE dictionary entry updated?

There are two major CVE databases:

• MITRE maintains the CVE Master List: http://cve.mitre.org/cve/cve.html
• NIST maintains the National Vulnerability Database (NVD): https://web.nvd.nist.gov/view/vuln/search

The CERT/CC is unable to update these databases as they are maintained by third parties.

MITRE performs research on the vulnerability and checks for duplication prior to publishing a full CVE entry. This research sometimes requires a large amount of time, depending on the severity and number of vendors affected. Please allow time for MITRE and NVD to update their records.

If you are a researcher and have an issue with the vulnerability information for a particular CVE, contact cve@mitre.org.

If you are a vendor and have a comment about something on NVD, contact nvd@nist.gov.

Vulnerability ID Alternatives

Several community-sponsored vulnerability ID alternatives to CVE have recently been announced. These vulnerability IDs are used in a similar way to CVE IDs.

A good discussion of these alternatives is provided by CERT/CC's Allen Householder in the blog post "Vulnerability IDs, Fast and Slow".

Security researchers that require a vulnerability ID quickly may consider requesting one of these alternate IDs until a CVE is assigned.

Distributed Weakness Filing (DWF)

DWF is meant to be complimentary and compatible with CVE; for example, DWF-2016-1000 would refer to the same vulnerability as CVE-2016-1000. However, DWF starts assigning at larger ID numbers.

As of May 2016, DWF has become a CVE Numbering Authority (CNA) and can assign CVE IDs. You can request a CVE from DWF by filling out the form at: https://request.distributedweaknessfiling.org

• Announcement
• DWF Homepage

Open Vulnerability ID (OVI)

• OVI Homepage

Openwall Vulnerability ID (OVE)

• Announcement
• OVE Homepage

References

MITRE is working to make its documentation publicly available via GitHub:

• https://cveproject.github.io/docs/

Others have written about the CVE process. For example, you may consult the following for more information:

• https://github.com/RedHatProductSecurity/CVE-HOWTO
• http://cve.mitre.org/about/faqs.html