CVE Editorial Policies

CVE Editorial Policies—also called "Content Decisions (CDs)"—are the guidelines the CVE Content Team uses to ensure that CVE Identifiers are created in a consistent fashion, independent of who is doing the creation. The documents below explain CDs and the CD process in more detail:

CVE Content Decisions Overview

Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included.

CVE Abstraction Content Decisions: Rationale and Application

This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE's major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action.

Handling Duplicate Public CVE Identifiers

When duplicate CVE Identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE’s Primary CVE Numbering Authority must be consulted to choose the proper CVE Identifier to use. This document details the criteria MITRE uses for selecting the preferred identifier.

CVE Numbering Authorities

Defines CVE Numbering Authorities (CNAs); provides documentation for CNAs, including the CNA Rules and Researcher Responsibilities documents; and describes how to become a CNA. Also included is a list of the numerous organizations currently participating as CNAs.

Page Last Updated or Reviewed: May 01, 2017