You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

What is CVE?

CVE stands for the Common Vulnerabilities and Exposures and is a project of MITRE. MITRE refers to CVE as "a dictionary of publicly known information security vulnerabilities and exposures.".

In practice, CVE is something similar to a database of publicly known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.

How are CVEs Used?

Every entry in the CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number, where number is at least a 4 digit number.

CVE IDs are assigned to specific vulnerabilities that occur in software. Effectively, this is used as a globally-unique tracking ID for the vulnerability in question. When security researchers are discussing vulnerabilities, it is much more clear to refer to the vulnerability by CVE ID rather than by the name of the software. Many private sector and government entities also make use of CVE IDs for tracking vulnerability information.

Effort is made by MITRE and other parties to ensure that CVEs are not duplicated – that is, a specific vulnerability is tracked publicly with only a single CVE ID.

How are CVE IDs Assigned?

MITRE is the primary maintainer of CVE IDs, and therefore the primary assigner. When a new vulnerability is reported, MITRE researches the vulnerability to determine the details and if the vulnerability has previously been reported by someone else. If the vulnerability appears to be new, then a new CVE ID is assigned to the vulnerability for use in future discussion and communications.

However, MITRE has designated a small group of third party organization as CVE Numbering Authorities (CNAs), meaning these organizations have limited authority on assigning CVE IDs without MITRE's involvement in some circumstances. CNAs are expected to follow the same assignment rules that MITRE follows. The CNAs then report the CVE IDs to MITRE, or publish an advisory with the CVE IDs, so that MITRE can include the CNA-assigned CVE IDs in the overall MITRE dictionary.

Generally, large software vendors are CNAs for their own products; for example, Microsoft and Red Hat can assign CVE IDs to vulnerabilities in their own products only.

The CERT/CC is a more general CNA; while we can assign CVE IDs for many products, we generally do not assign CVE IDs for vulnerabilities in products handled by other CNAs. We are also generally restricted to assign CVE IDs only to vulnerabilities we directly coordinate.

How can I request a CVE ID?

If you believe you have discovered a new vulnerability, you can request a CVE ID in one of a few ways, depending on which software or product contains the vulnerability.

  • Many CNAs have a specific security contact or bug bounty program you can contact. If so, consider directly reporting your vulnerability to the vendor. MITRE provides a list of CNAs.
  • If you are independently coordinating your vulnerability directly with the vendor (regardless if the vendor is a CNA or not), you may also contact MITRE at cve-assign@mitre.org to receive a CVE ID.
  • If you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact the CERT/CC for assistance. The best way to contact the CERT/CC is to fill out our Vulnerability Report Form, but you may also email us at cert@cert.org with PGP-encrypted email.
  • If the vulnerability is already public, then MITRE must investigate and assign CVE IDs. In this case, you must contact MITRE at cve-assign@mitre.org and provide links to the public references for the vulnerability.

In all cases, when requesting a CVE ID, you should include information about the vulnerability and which products and versions are affected. For more information on how to report vulnerabilities and what information to include in your report, see our Guidelines for Requesting Coordination Assistance.

How do I get my CVE database entry updated?

There are two major CVE databases:

The CERT/CC is unable to update these databases as they are maintained by third parties.

MITRE performs research on the vulnerability and checks for duplication prior to publishing a full CVE entry. This research sometimes requires a large amount of time, depending on the severity and number of vendors affected. Please allow time for MITRE and NVD to update their records. If you have further information to add the CVE entries, please send your information to the cve-assign@mitre.org.

References

Others have written about the CVE process. For example, you may consult the following for more information:

  • No labels