Documents and Guidance

Documents and guidance are available for the topics below. Please contact us to provide feedback about this page.

    CVE List
    CVE Numbering Authorities (CNAs)
    New CNA Onboarding
    CVE Request Web Form
    CVE Working Groups
    CVE Board
    Presentations & More

CVE List Documents and Guidance


CVE List FAQs

Includes information about CVE Entry Basics, CVE List Basics, and Using the CVE List.

About CVE Entries

Provides an overview of CVE Entries and links to various documents within three areas: CVE Entries Defined, Creation of a CVE Entry, and Requesting CVE Identifiers (CVE IDs).

Search Tips

Provides tips for searching or viewing entries on the CVE List hosted on this CVE website.

How to Contact the Program Root CNA to Update Information in CVE Entries

Instructions for how to request updates to entries on the CVE List. Also included are instructions for contacting the U.S. National Vulnerability Database (NVD) about CPE information and CVSS scores.

CVE References

Each CVE Entry includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Entry. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Entries.

CVE Program Root CNA PGP Key

PGP key last updated: March 2020
Fingerprint:  F59F 1525 57C5 3CE4 BEAE B86E F357 D0E9 903E 4008
Key ID:  903E4008  |  Key size:  4096

CVE Numbering Authorities (CNAs) Documents, Policies, and Guidance


CVE Numbering Authority (CNA) Rules,
Version 3.0


Includes detailed information for CNAs about Assignment Rules, including the CVE Program’s definition of “vulnerability” and the requirements for assigning a CVE ID; CVE Entry requirements including entry information, prose description, reference(s), and formatting; appeals process; definitions of CVE ID states and CVE Entry states; the process to correct assignment issues or update CVE Entries; and disclosure and embargo policies; defining a CNA’s scope; as well as the four categories of CNAs (Sub-CNAs, Root CNAs, CNAs of Last Resort (CNA-LR), Program Root CNA, and Secretariat) and assignment, communication, and administration rules for each. Version 3.0 – March 5, 2020 (NOTE: updated annually or as needed)

CNA Resources

Links to resources and information for CNAs.

CNA Policies

Inactive CNA Policy

The CVE Program’s CNA policy and procedure for inactive CNAs.

RBP CVE IDs Policy

The CVE Program’s CNA policy and procedure for Reserved but Public (RBP) CVE IDs.

Assignment

CVE Assignment Rules

The nature and accuracy of the counting process underpins the value of a CVE Entry. Correct assignment reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the assignment process helps to differentiate between those vulnerabilities that are unique.

CVE Entry Information Requirements

Provides the required format that CNAs must use to provide CVE Entry information for assigning CVE IDs.

Researcher Reservation Guidelines

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.

Key Details Phrasing

Key details phrasing guidance for writing CVE Entry Descriptions (hosted on GitHub).

Corrections & Updates

Process for CNAs to Correct Assignment Issues or Update CVE Entries

There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process.

Submissions

Submitting CVE Entry Info to the CVE Team

Explains the two methods to submit “CVE Entry information” to the CVE Team: (1) CVE Request Web Form, and (2) Git. NOTE: Detailed guidance for setting up the correct environment to submit a CVE Entry through GitHub is included below in the New CNA Onboarding section.

Submitting CVE Entries to Root CNAs

Each Root CNA has its own process for accepting CVE Entries from CNAs (hosted on GitHub).

New CNA Onboarding Documents, Slides, and Videos


NOTE: The slides and videos below should be reviewed by new CNAs in the order presented prior to their onboarding meeting with the CNA Coordination Team.

CVE Program Overview
English: slides | video
Japanese: slides

An introduction to the Common Vulnerabilities and Exposures (CVE®) Program, including what is CVE, goals of the program, who operates the program, and program organization.

Becoming a CNA slides
English: slides | video
Japanese: slides

An introduction to becoming a CVE Numbering Authority (CNA) with an overview of what defines a CNA, how the CVE Program is organized, how to organize your CNA program, how to define the scope of what you will cover, internal CNA processes, CNA resources, and ways to get involved in the CNA community.

CNA Processes
English: slides | video
Japanese: slides

Guidance for CNAs of how to get a block of CVE IDs, assign vulnerabilities to CVE IDs, submit CVE IDs, update CVE Entries when necessary, escalate issues where there is a dispute, reject CVE IDs when needed, dispute a CVE ID, and the process for handling expiring CVE IDs.

Assigning CVE IDs
English: slides | video
Japanese: slides

Describes in detail how CNAs assign CVE IDs to vulnerabilities.

CVE Entry Creation
English: slides | video
Japanese: slides

Once a CNA has assigned a CVE ID(s), performed coordination to fix the vulnerability, and published the vulnerability information, the next step is to populate the CVE Entry. This video details how CNAs create CVE Entries.

CVE Entry GitHub Submissions
English: slides
Describes the process for CNAs to submit CVE Entries using GitHub.


CVE Entry Submission Process
English: slides | video
Japanese: slides

Guidance for how to submit CVE Entries to the CVE Program Root CNA (currently MITRE).


NOTE: The documents below (hosted on GitHub) walk through how to set up a local environment to submit CVE Entries in JSON format to CVE List via git. The Initial Tools document that walks through basic info and requirements should be read first, followed by one of the other three documents to finish setup based on your desired workflow.

Initial Tools: Overview and First Steps

Discusses the several steps in setting up the correct environment to submit CVE Entry information through GitHub using a variety of tools.

Command Line Interface Setup

Describes how to submit new JSON files to the CVE GitHub repository using the git command line interface as opposed to a GUI-interface.

GitHub Desktop GUI Setup

Describes the GitHub submission process for submitting new CVE Entries using GitHub Desktop, a free GUI-based software.

SourceTree GUI Setup

Describes the GitHub submission process for submitting new CVE Entries using SourceTree, a free GUI-based software.

CVE Request Web Form Documents and Guidance


CVE Request Web Form FAQs

Includes questions and answers on web form basics, using the web form, and after submitting a web form request.

CVE Request Web Form Overview

This presentation provides an overview of how to use the CVE Request web form, which is used to request CVE IDs from the CVE Program Root CNA, request an update to an existing CVE Entry, provide notification about a vulnerability publication, or submit comments.

CVE Request Web Form Tip Sheet

A brief overview of information and tips for using each of the CVE Request web forms: Request a CVE ID; Request a block of IDs (for CNAs only); Notify CVE about a publication; Request an update to an existing CVE; and Other.

CVE Working Groups Documents


OCWG Charter

This document provides information about the CVE Outreach and Communications Working Group (OCWG) including its goals, operating principles, and objectives. Version 1.0.2 – March 23, 2020

CNACWG Charter

This document provides information about the CNA Coordination Working Group (CNACWG) including its goals, operating principles, and objectives. Version 1.2 – December 9, 2019

CVE ID Allocation Service Specification

Specification for the CVE ID Allocation Service developed by the CVE Automation Working Group (AWG). Version 1.0 – February 12, 2019

AWG Charter

This document provides information about the CVE Automation Working Group (AWG) including its goals, operating principles, and objectives. Version 1.0 – May 29, 2018

SPWG Repositories & Projects

Repositories and projects developed by the CVE Strategic Planning Working Group (SPWG).

AWG Repositories & Projects

Repositories and projects developed by the CVE Automation Working Group (AWG).

CVE Board Documents


CVE Board Charter

This document provides information about the CVE Board and how it functions, including Board structure, membership, working groups, and operations. A member nomination form is also included. Version 3.1 – April 23, 2020

Presentations & More


CVE Program Videos

Includes a CVE Program Overview video for all audiences, as well as several videos of detailed processes and procedures guidance for those organizations that have signed on to participate as official CVE Numbering Authorities (CNAs).

CVE Compatibility Guidelines (White Paper)

This white paper provides detailed guidelines for making cybersecurity product(s) or service(s) compatible with CVE. September 29, 2017

CVE IDs and How to Get Them (Presentation)

This briefing was presented at the “Wall of Sheep” by the CVE Team at DEF CON 25 in Las Vegas, Nevada, USA. July 28, 2017

Archived Documents

Documents listed on this archive page are no longer current and are retained on the CVE website for historical purposes only.

Page Last Updated or Reviewed: June 29, 2020