CVE Editorial Policies

CVE Editorial Policies are the guidelines the CVE program uses to ensure that CVE IDs are created in a consistent fashion, independent of which CVE Numbering Authority (CNA) is doing the creation. The documents below explain this process in more detail:

CVE Counting Rules

The nature and accuracy of the counting process underpins the value of a CVE ID. Correct counting reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the counting process helps to differentiate between those vulnerabilities that are unique. Decision trees are included.


CVE Assignment Information Format

Provides the required format that CNAs must use to provide CVE information for assigning CVE IDs. An example is included.


Process to Correct Counting Issues

There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process.


CVE Numbering Authorities

All CVE IDs are assigned by CNAs. This page defines the role of CNAs; provides documentation for CNAs, including links to the CNA Rules and Researcher Responsibilities documents; and describes how to become a CNA.

Page Last Updated or Reviewed: August 02, 2017