Name of Your Organization:

National Institute of Standards and Technology

Web Site:

http://nvd.nist.gov/

Compatible Capability:

National Vulnerability Database

Capability home page:

http://nvd.nist.gov
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

The National Vulnerability Database is publicly available via the Internet at http://nvd.nist.gov.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

NVD does not indicate CVE versions because it is constantly updated using the most current CVE information.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

Mappings are updated as soon as they are available from MITRE.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

This information is conveyed to the user in the FAQ section on the NVD website: "1 - How often is NVD updated? NVD is updated on an hourly basis on normal United States Government business days. We do not update the database on weekends and on United States Government holidays."
Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Users can enter CVE names to find individual security elements into the search field found at http://nvd.nist.gov. The phrase "Try a CVE standard vulnerability name or OVAL query" is located under the search field to inform users of this capability.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Each security entry is directly mapped to a CVE entry. CVE names are used to identify the security entries and are always displayed at the beginning of each entry.
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

The CAN- prefix is used for all candidates to differentiate them from CVE entries that have the CVE- prefix.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The difference between CVE candidates and entries is explained in the NVD FAQ at http://nvd.nist.gov/faq.cfm#5.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

When candidates are promoted to entries as communicated via the CVE mailing list, scripts are used to automatically reflect any necessary updates.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

The explanation of the NVD search function's abilities to look for candidates and entries by omitting any prefixes is explained in the NVD FAQ at http://nvd.nist.gov/faq.cfm#6.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

The explanation of how a user can search for a CVE entry that is no longer a candidate can be found in the NVD FAQ at http://nvd.nist.gov/faq.cfm#6.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

The explanation of how often candidate information can be found in the NVD FAQ at http://nvd.nist.gov/faq.cfm#7.

Type-Specific Capability Questions

Online Capability Questions

26) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

Entering a full or partial CVE name in the search field found on http://nvd.nist.gov will return any associated security elements that match the search parameter.

27) Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):

Examples:

http://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
http://www.example.com/cve/CVE-YYYY-NNNN.html

Any product containing NVD or CVE data can be integrated with the NVD web site vulnerability summaries. To link to a particular vulnerability summary, simply use the hyperlink format http://nvd.nist.gov/nvd.cfm?cvename=CAN-YYYY-NNNN.

29) Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

The CVE name is clearly displayed at the top of each security element summary.
Media Questions

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

The primary method of accessing the NVD is through its web interface found at http://nvd.nist.gov. The search capability on the main page allows users to search by CVE-related text as well as specific CVE names. If any matches are found the related security elements are returned to the user. Individuals can also download the entire NVD dataset at http://nvd.nist.gov/download.cfm, but will be responsible for implementing any desired search capabilities.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Each security element is labeled by its entire corresponding CVE name.

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

As illustrated in the black box above, title of each security element contains its corresponding CVE name.

Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The NVD GUI provides a keyword search located on the main page. Entering a CVE name into the search field will return the associated security element.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

Since the NVD is a database of CVE entries there is a one-to-one mapping between CVE names and the security elements associated with the database. A security element's corresponding CVE name is clearly displayed at the beginning of its entry.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

The easiest method of accessing CVE-related data is via the website at http://nvd.nist.gov. All security elements are full text searchable. The entire database can also be downloaded at http://nvd.nist.gov/download.cfm, but would require the individual user to implement a search function.
Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Peter Mell

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Peter Mell

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Peter Mell

Page Last Updated or Reviewed: August 10, 2017