CVE Editorial Policies
CVE Editorial Policies—also called "Content Decisions (CDs)"—are the guidelines the CVE Content Team uses to ensure that CVE Identifiers are created in a consistent fashion, independent of who is doing the creation. The documents below explain CDs and the CD process in more detail:
Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included.
This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE's major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action.
When duplicate CVE Identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE’s Primary CVE Numbering Authority must be consulted to choose the proper CVE Identifier to use. This document details the criteria MITRE uses for selecting the preferred identifier.
Includes an introduction to the CVE Identifier reservation process, defines CVE Numbering Authorities (CNAs), provides the requirements for being a CNA, describes CNA tasks, explains the communication requirements from the CNA to MITRE, defines the role of vendor liaisons, and explains the researcher’s responsibilities in the process. Also included is a list of the several organizations currently participating as CNAs.