Handling Duplicate Public CVE Identifiers
Criteria for Selecting the Preferred Identifier | Annotating Duplicate Identifiers | Additional Information
As more vendors, researchers, and coordinators use CVE Identifiers in initial public vulnerability announcements, the risk of multiple assignments of the same CVE identifier increases. While all involved parties should coordinate on the CVE name for an issue, errors still occasionally occur, especially if one party does not normally use CVE. For that reason, when duplicate identifiers are made public, the Primary CVE Numbering Authority (i.e., MITRE Corporation) must be consulted to choose the proper CVE Identifier to use.
Criteria for Selecting the Preferred Identifier
MITRE uses the following criteria to select which identifier will be associated with the issue:
NOTE: The criteria are roughly prioritized and are still evolving.
Annotating Duplicate Identifiers
Once the preferred identifier has been selected by MITRE, MITRE will modify the descriptions of all other identifiers and reference the preferred identifier.