Handling Duplicate Public CVE Identifiers

Introduction

As more vendors, researchers, and coordinators use CVE Identifiers in initial public vulnerability announcements, the risk of multiple assignments of the same CVE identifier increases. While all involved parties should coordinate on the CVE name for an issue, errors still occasionally occur, especially if one party does not normally use CVE. For that reason, when duplicate identifiers are made public, the Primary CVE Numbering Authority (i.e., MITRE Corporation) must be consulted to choose the proper CVE Identifier to use.

Criteria for Selecting the Preferred Identifier

MITRE uses the following criteria to select which identifier will be associated with the issue:

  1. PREFER THE MOST COMMONLY REFERENCED IDENTIFIER. This is roughly gauged by searching for all affected identifiers on a search engine and comparing results.
  2. If the usage numbers of identifiers are about the same, then CHOOSE THE IDENTIFIER USED BY THE MOST AUTHORITATIVE SOURCE. The "most authoritative source" is roughly prioritized as: vendor, coordinator, researcher.
  3. If the identifiers have the same level of authority, then CHOOSE THE IDENTIFIER THAT HAS BEEN PUBLIC FOR THE LONGEST PERIOD OF TIME.
  4. If the identifiers have been public for the same amount of time, then CHOOSE THE IDENTIFIER WITH THE SMALLEST NUMERIC PORTION.

NOTE: The criteria are roughly prioritized and are still evolving.

Annotating Duplicate Identifiers

Once the preferred identifier has been selected by MITRE, MITRE will modify the descriptions of all other identifiers and reference the preferred identifier.

Additional Information

For more information see About CVE Identifiers or contact the CVE Editor at cve@mitre.org with any comments or concerns.

 
Page Last Updated: October 28, 2011