CVE Data Sources
A number of organizations in the information security community provide CVE with vulnerability information that helps MITRE create new CVE Identifiers. This information is provided to MITRE in the form of "submissions," which are derived from the submitting data source’s vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc. (See About CVE Identifiers for detailed information about this process.)
With multiple submissions from different organizations, MITRE has a richer set of information to use when creating CVE Identifiers. This improves the quality of those CVE Identifiers, which in turn makes CVE more useful to all parties. For example, the resulting CVE Identifiers may provide additional references for people to include in their own databases. Also, since CVE does not rely on any one source, it has a better chance of identifying all publicly known security problems, which then provides a more comprehensive set of vulnerabilities and exposures for everyone. (Note that all data sources make decisions about which vulnerabilities or exposures they will include in their own database. They may exclude a security problem from their own database because it is not sufficiently proven to exist, there is incomplete information, the problem is not important to the data source’s customers, etc.)
A CVE data source receives a "backmap," which links its own database items to the resulting CVE names. This helps reduce the amount of labor that the data source has to perform when mapping their database to CVE names.
Individuals from the organizations noted below have provided MITRE with vulnerability information (e.g., vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.). The MITRE Corporation thanks all of these organizations for their contributions as data sources to the CVE Initiative.
Data Sources for New Security Problems
The organizations noted below publish regular summaries of new vulnerabilities and exposures, on a weekly to monthly basis. MITRE has been given permission to use their summaries to help keep CVE current and comprehensive with respect to the newest security problems.
Data Sources for Legacy Security Problems, Summer 2000
CVE was created in 1999. A large number of vulnerabilities and exposures were discovered and publicized before then. These are referred to as "legacy problems." While CVE currently includes the most serious and well-known legacy problems, there is a backlog of other legacy problems that still need to be assigned a CVE name.
During summer 2000, the following organizations provided MITRE with stripped copies of their entire vulnerability databases. These databases are helping MITRE to create more legacy CVE names, which in turn will make CVE more comprehensive with respect to "legacy" vulnerabilities and exposures.
Data Sources for Legacy Security Problems, Winter 1999
In November and December of 1999, MITRE requested organizations to provide a "top 100 list" of vulnerabilities and exposures that they wanted to see in CVE. Over 800 submissions were provided. Those submissions helped expand CVE to more than 500 entries (Version 20000118).
The following organizations provided MITRE with their top 100 lists:
Data Sources for the Draft CVE, Spring-Summer 1999
Before CVE was publicly released in September 1999, a "draft CVE" was created and submitted to the Editorial Board for feedback. ISS, L-3 Security (acquired by Symantec), SANS, and Netect (later acquired by BindView) provided information that was used to help create the draft CVE. Data was also drawn from other sources including Bugtraq and NTBugtraq posts, CERT advisories, and security tools such as NAI’s CyberCop Scanner, Cisco’s NetSonar, and AXENT’s NetRecon.