About CVE

    Introduction
    Why CVE
    How CVE Works
    Widespread Adoption
    CVE Community
    Take the Next Step

Introduction

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cyber security vulnerabilities. Use of "CVE Identifiers (CVE IDs)," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.

CVE is:

Why CVE

With & Without CVE

CVE was launched in 1999 when most information security tools used their own databases with their own names for security vulnerabilities. At that time there was no significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.

CVE’s common, standardized identifiers provided the solution to these problems.

CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers — also called "CVE names," "CVE numbers," "CVE IDs," and "CVEs" by the community — provide reference points for data exchange so that cyber security products and services can speak with each other. CVE Identifiers also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

How CVE Works

Each CVE ID includes:

  • CVE Identifier number (i.e., "CVE-1999-0067", "CVE-2014-10001", "CVE-2014-100001").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories).

The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability.

The information is then assigned a CVE ID by a CVE Numbering Authority (CNA) and posted on the CVE List on the CVE website by the Primary CNA.

Widespread Adoption

The cyber security community endorsed the importance of CVE via "CVE-Compatible" products and services from the moment CVE was launched in 1999. As quickly as December 2000 there were 29 organizations participating with declarations of compatibility for 43 products. Today, those numbers have increased significantly with 300+ products and services from 150+ organizations listed on the CVE website. A major milestone for compatibility was the formalization of the CVE Compatibility Process in 2003 that led to the ongoing presentation of "Certificates of CVE Compatibility" to those organizations that achieve "official" compatibility status for their products or services.

Another significant factor to adoption is the ongoing inclusion of CVE IDs in security advisories. Numerous major OS vendors and other organizations from around the world include CVE IDs in their alerts to ensure that the international community benefits by having the CVE IDs as soon as a problem is announced. In addition, CVE IDs are used to uniquely identify vulnerabilities in public watch lists such as the OWASP Top 10 Web Application Security Issues, in the report text and infographics of Symantec Corporation's "Internet Security Threat Report, Volume 19," and are rated by severity in the Common Vulnerability Scoring System (CVSS). CVE IDs are also frequently cited in trade publications and general news media reports regarding software bugs; such as CVE-2014-0160 for "Heartbleed."

Use of CVE by U.S. agencies was recommended by the National Institute of Standards and Technology (NIST) in "NIST Special Publication (SP) 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme," which was initially released in 2002 and updated in 2011. In June 2004, the U.S. Defense Information Systems Agency (DISA)issued a task order for information assurance applications that requires the use of products that use CVE Identifiers.

CVE has also been used as the basis for entirely new services. NIST's U.S. National Vulnerability Database (NVD)—a "comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources"—is synchronized with, and based on, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE IDs. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance) and CVE is one of the open community standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. Open Vulnerability and Assessment Language (OVAL), operated by the Center for Internet Security, is a standard for determining the machine state of a computer systems using community-developed OVAL Vulnerability Definitions that are based primarily on CVE Identifiers. MITRE's Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based in part on the 90,000+ CVE IDs on the CVE List.

And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE.

CVE Community

CVE is an international cyber security community effort. In addition to the contributions of the CVE Numbering Authorities, CVE Board, and the CVE Sponsor, numerous organizations from around the world have included CVE IDs in their security advisories, have made their products CVE-Compatible, and/or have adopted or promoted the use of CVE.

CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving the CVE Team in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

Learn how to Become a CNA.

CVE Board

MITRE's Role

The MITRE Corporation currently maintains CVE and this public website, oversees the CNAs and CVE Board, manages the compatibility program, and provides impartial technical guidance throughout the process to ensure CVE serves the public interest.

The CVE Board includes numerous cyber security-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE program.

CVE Sponsor

CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. A list of past sponsors is available on the Sponsors page.

CVE-Compatible Products and Services

Numerous organizations from around the world have made their cybersecurity products and services "CVE-Compatible" by incorporating CVE IDs. Please follow the CVE Compatibility Guidelines to make your product or service compatible with CVE.

Take the Next Step

We encourage you to incorporate CVE IDs into your products or research, become a CNA, adopt CVE-Compatible Products or Services for your enterprise, and/or promote the use of CVE.

Please contact us for more information.


Page Last Updated or Reviewed: September 29, 2017