CVE Data Sources (Archived)

IMPORTANT: This page has been moved to "Archive" status. Refer to the Request CVE IDs page for the most current information about how CVE IDs are assigned.


From 1999 through November 2013, numerous organizations in the information security community provided CVE with vulnerability information that helped MITRE create new CVE Identifiers. This information was provided to MITRE in the form of "submissions," which were derived from the submitting data source’s vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.

With multiple submissions from different organizations (a process which continues today, see Data Sources/Product Coverage for current information), MITRE had a richer set of information to use when creating CVE Identifiers. This improved the quality of those CVE Identifiers, which in turn made CVE more useful to all parties. For example, the resulting CVE Identifiers may have provided additional references for people to include in their own databases. Also, since CVE did not rely on any one source, it had a better chance of identifying all publicly known security problems, which then provided a more comprehensive set of vulnerabilities and exposures for everyone. (Note that all data sources made decisions about which vulnerabilities or exposures they included in their own databases. They may have excluded a security problem from their own database because it was not sufficiently proven to exist, there was incomplete information, the problem was not important to the data source’s customers, etc.)

Each CVE data source received a "backmap," which linked its own database items to the resulting CVE names. This helped reduce the amount of labor that the data source had to perform when mapping their database to CVE names.

Individuals from the organizations noted below provided MITRE with vulnerability information (e.g., vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.). The MITRE Corporation thanks all of these organizations for their contributions as data sources to the CVE Initiative during this time period.

Previous Sources

Data Sources for Security Problems, 1999 – November 2013

The organizations noted below gave MITRE permission to use their regularly published vulnerability summaries to help keep CVE current and comprehensive with respect to the newest security problems.

Older Sources

Data Sources for Legacy Security Problems, Summer 2000

CVE was created in 1999. A large number of vulnerabilities and exposures were discovered and publicized before then. These are referred to as "legacy problems." While CVE includes the most serious and well-known legacy problems, there was in Summer 2000 a backlog of other legacy problems that still needed to be assigned a CVE name.

During summer 2000, the following organizations provided MITRE with stripped copies of their entire vulnerability databases. These databases helped MITRE to create more legacy CVE names, which in turn made CVE more comprehensive with respect to "legacy" vulnerabilities and exposures.

Data Sources for Legacy Security Problems, Winter 1999

In November and December of 1999, MITRE requested organizations to provide a "top 100 list" of vulnerabilities and exposures that they wanted to see in CVE. Over 800 submissions were provided. Those submissions helped expand CVE to more than 500 entries (Version 20000118).

The following organizations provided MITRE with their top 100 lists:

Data Sources for the Draft CVE, Spring-Summer 1999

Before CVE was publicly released in September 1999, a "draft CVE" was created and submitted to the Editorial Board for feedback. ISS (later acquired by IBM), L-3 Security (later acquired by Symantec), SANS, and Netect (later acquired by BindView, which was later acquired by Symantec) provided information that was used to help create the draft CVE. Data was also drawn from other sources including Bugtraq and NTBugtraq posts, CERT advisories, and security tools such as Network Associates, Inc.'s (later acquired by McAfee, Inc.) CyberCop Scanner, Cisco’s NetSonar, and AXENT's (later acquired by Symantec) NetRecon.

Page Last Updated or Reviewed: January 29, 2019