About CVE

    Why CVE
    How CVE Works
    CVE Community
    Take the Next Step

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities.

Use of CVE Records, which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables automated data exchange.

CVE is:


With & Without CVE

CVE was launched in 1999 when most cybersecurity tools used their own databases with their own names for security vulnerabilities. At that time there was significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.

CVE’s common, standardized identifiers provided the solution to these problems.

CVE is now the industry standard for vulnerability and exposure identifiers. CVE Records — also called "CVEs," "CVE IDs," and "CVE numbers" by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Records also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

How CVE Works

Each CVE Record includes:

  • CVE ID number (i.e., "CVE-1999-0067", "CVE-2014-10001", "CVE-2014-100001").
  • Brief Description of the security vulnerability or exposure.
  • Any pertinent References (i.e., vulnerability reports and advisories).

The process of creating a CVE Record begins with the discovery of a potential security vulnerability.

The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Record is added to the CVE List and posted on the CVE website by the CVE Team.

CVE Community

CVE is an international cybersecurity community effort. In addition to the contributions of the CVE Numbering Authorities, CVE Board, and the CVE Sponsor, numerous organizations from around the world have included CVE IDs in their security advisories, have made their products and services compatible with CVE, and/or have adopted or promoted the use of CVE.

CVE Numbering Authorities (CNAs) — CNAs are vendors and projects, vulnerability researchers, national and industry CERTs, and bug bounty programs that assign CVE Records to newly discovered issues without directly involving the CVE Team in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

Learn how to become a CNA.

CVE Working Groups (WGs) — TThe CVE Program has a number of WGs actively focused on improving processes, workflows, and other aspects of the program as CVE continues to grow and expand. You may request to join a WG, or request more information, by using the CVE Request Web Form and selecting “Other” from the dropdown.

CVE Board — The Board includes numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program.

CVE Sponsor — CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

Take the Next Step

We encourage you to incorporate CVE Records into your products or research, become a CNA, adopt products and services that are compatible with CVE for your enterprise, and/or promote the use of CVE.

Please contact us for more information.

Page Last Updated or Reviewed: December 11, 2020