All CVE Documents

Documents are available for the topics below. Please send feedback about this page to cve@mitre.org.

    CVE List
    CVE Request Web Form
    CVE Numbering Authorities (CNAs)
    CVE Board
    Presentations & More

CVE List Documentation


About CVE Entries

Provides an overview of CVE Entries and links to various documents within three areas: CVE Entries Defined, Creation of a CVE Entry, and Requesting CVE Identifiers (CVE IDs).

CVE Counting Rules

The nature and accuracy of the counting process underpins the value of a CVE Entry. Correct counting reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the counting process helps to differentiate between those vulnerabilities that are unique. Decision trees are included.

CVE Assignment Information Format

Provides the required format that CNAs must use to provide CVE information for assigning CVE IDs. An example is included.

Process to Correct Counting Issues

There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process.

CVE References

Each CVE Entry includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Entry. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Entries.

Primary CNA PGP Key

PGP key last updated: August 2016
Fingerprint:  3661 5122 7CF5 FC6B BCCC 7943 76FF 3305 8B56 18B6
Key ID:  8B5618B6  |  Key size:  4096

Search Tips for the CVE List

Provides tips for searching or viewing the CVE List hosted on this CVE website. Also notes that advanced searching of CVE enhanced content is available on the U.S. National Vulnerability Database (NVD).

CVE Request Web Form Documentation


CVE Request Web Form FAQs

Includes questions and answers on web form basics, using the web form, and after submitting a web form request.

CVE Request Web Form Overview

This presentation provides an overview of how to use the CVE Request web form, which is used to request CVE IDs from MITRE, request an update to an existing CVE entry, provide notification about a vulnerability publication, or submit comments.

CVE Request Web Form Tip Sheet

A brief overview of information and tips for using each of the CVE Request web forms: Request a CVE ID; Request a block of IDs (for CNAs only); Notify CVE about a publication; Request an update to an existing CVE; and Other.

CVE Numbering Authorities (CNAs) Documentation


CVE Numbering Authorities (CNA) Rules,
Version 2.0
New!

Includes detailed information about the following: CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules; Rules for All CNAs – Assignment, Communication, and Administration; Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA; CNA Candidate Process – Qualifications, and On-Boarding Process; Appeals Process; Definitions; CVE Information Format; Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions; Terms of Use; Process to Correct Counting Issues; Acronyms; Quarterly Metrics; and Disclosure and Embargo Policies. Version 2.0 – January 1, 2018 (NOTE: updated annually or as needed)

CVE Overview for Prospective CNAs

Provides detailed information for prospective CNAs about the following: Conceptual Basis of CVE; Design and Operational Choices for CVE – CVEs Purposely Provide Minimal Information About a Vulnerability, The CVE List is a Simple List, CVE Only Publishes Already-Disclosed Vulnerabilities, and The Anatomy of a CVE Entry - Example; CVE and the National Vulnerability Database (NVD); CVE and CNAs – Sources of Vulnerability Information, Benefits of Early CVE ID Assignment, Roles and Responsibilities of a CVE CNA - High Level View, and Benefits of Operating as a CNA; and Special Considerations for Prospective CNAs – Requirements for Assigning a CVE ID and Challenges When Assigning CVE IDs; More Information; Acronyms; and References. Version 1.0 – September 29, 2017

Submitting CVE Assignment Information to CVE Team

Explains the three methods to submit CVE “assignment information” to the CVE Team: (1) CVE Request Web Form, (2) cve@mitre.org Email Address, and (3) Git (Experimental).

Researcher Reservation Guidelines

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability. Version 0.1 – August 29, 2016

CVE Board Documents


CVE Board Charter New!

This document provides information about the CVE Board and how it functions, including Board structure, membership, and operations. A member nomination form is also included. Version 2.5 – January 11, 2018

Adding and Removing CVE Board Members

This document formalizes the high-level process that is used for identifying, evaluating, and adding new members to the CVE Board. Version 0.5 – September 13, 2016

Presentations & More


CVE Compatibility Guidelines (White Paper)

This white paper provides detailed guidelines for making cybersecurity product(s) or service(s) compatible with CVE. September 29, 2017

CVE IDs and How to Get Them (Presentation)

This briefing was presented at the “Wall of Sheep” by the CVE Team at DEF CON 25 in Las Vegas, Nevada, USA. July 28, 2017

“Towards a Common Enumeration of
Vulnerabilities” (White Paper)


This white paper introducing the CVE concept was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 by MITRE's David Mann and Steve Christey. A postscript version is also available.

Archived Documents

Documents listed on this archive page are no longer current, and are retained on the CVE website for historical purposes only.

Page Last Updated or Reviewed: February 23, 2018