CVE Assignment Information Format

The information on this page is excerpted from “Appendix B: CVE Information Format” of the “CVE Numbering Authorities (CNA) Rules” document, and provides the required Format and a Correctly Formatted Example.


CVE Numbering Authorities (CNAs) must provide CVE assignment information to the CNA level above them using the following format. The use of this format facilitates the automation of CVE assignment. In a flat file, use this format.


In a Comma Separated Values (CSV) file, each row should include each of these columns with CVE ID as a primary key.

There are no format limitations on the actual data, which allows for flexibility across products that may have unusual versioning or differing definitions, such as what a “problem type” means. The only exception to this is that references must be URLs. With or without this technical standard, the information referenced by each field is required for assigning a CVE. In all cases, the content included in CVE descriptions must be germane to the vulnerability. The Primary CNA reserves the right to modify or reject content included in CVE assignment if it is deemed inappropriate by the Primary CNA. Any information submitted as part of a CVE must be submitted in English, though CVEs may reference content in any language.

The [DESCRIPTION]: field is a plain language field that should describe the vulnerability to the greatest level of detail available. In addition to the required information listed above, the description should include any other detail available.

Specifically, the [DESCRIPTION]: field could also include:

Correctly Formatted Example

Following is an example of the reporting format in use. In this case, the Sub-CNA “BigCompanySoft” is assigning a CVE ID to versions of their product.

[CVEID]: CVE-2016-123455
[VERSION]: All versions prior to version 2.5
[PROBLEMTYPE]: Arbitrary Code Execution
[DESCRIPTION]: CoreGraphics in BIGCOMPANYSOFT SOFTWARE PRODUCT before 2.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted BMP image …
Page Last Updated or Reviewed: December 15, 2017