About CVE Identifiers

CVE Identifiers Defined

CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.

Each CVE Identifier includes the following:

  • CVE Identifier number (e.g., "CVE-1999-0067", "CVE-2014-12345", "CVE-2014-7654321").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).

Learn more about:

Upcoming DEADLINE for the new CVE-ID numbering format (IMPORTANT)

Technical guidance and test data for handling the new CVE-ID numbering format (i.e., syntax)

New CVE-ID numbering format that began January 1, 2014

CVE usage of Common Vulnerability Reporting Framework (CVRF)

Updating existing information or adding new information to a CVE Identifier description or reference

Dates included in CVE Identifiers

CVE content updates & RSS feeds

Requesting CVE Identifier numbers

Creation of a CVE Identifier

The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Identifier number by a CVE Numbering Authority (CNA), and posted on the CVE Web site by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as CVE Editor and Primary CNA. The CVE Editorial Board oversees this process.

The documents below explain CVE Identifiers and the creation of identifiers in more detail:

CVE Numbering Authorities

Lists the several organizations currently participating as CVE Numbering Authorities (CNAs). Includes an introduction to the candidate reservation process; defines CNAs and provides the requirements for being a CNA, describes CNA tasks, and explains the communication requirements from the CNA to MITRE; defines the role of vendor liaisons, and explains the researcher’s responsibilities in the process.

How We Build the CVE List

A description of the process of how CVE Identifiers are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Content Team.

CVE Editorial Policies

CVE Editorial Policies, also Content Decisions (CDs), are the guidelines the CVE Content Team uses to ensure that CVE Identifiers are created in a consistent fashion, independent of who is doing the creation. This page is a central location of information about, and related to, CDs including the following: Editorial Policies Overview; CVE Abstraction Content Decisions: Rationale and Application; and Handling Duplicate Public CVE Identifiers.

CVE Editor’s Commentary

Selected opinions and commentary about vulnerabilities, software assurance, and related topics by the CVE List Editor.

CVE References

Each CVE Identifier includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source’s Web site, and (3) notes the associated CVE Identifier. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Identifiers.

CVE Data Sources and Product Coverage

A list of sources from the information security community that provide us with vulnerability information that helps MITRE create new CVE Identifiers, along with a product coverage list.

CVE Data Sources Archive

This page provides an archive list of the organizations from the information security community that provided us with vulnerability information that helped MITRE create new CVE Identifiers from 1999 through November 2013.

CVE Versions Archive

This page provides an archive of the old CVE versions, the last of which was issued in 2006. As new CVE Identifiers are now added to the CVE Web site on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List Master Copy page.

FAQs

FAQs from the Frequently Asked Questions page in the About CVE section also address specific questions about CVE Identifiers.

Requesting CVE Identifiers

In most instances the CVE Initiative does not issue CVE-ID numbers directly but instead relies on certain mechanisms to handle newly emerging information that is eventually provided to CVE. Therefore, to receive a CVE-ID number for your issue you could:

  • Contact one of the CVE Numbering Authorities (CNAs), which will then include a CVE-ID number in its initial public announcement about your new vulnerability.
  • Contact an emergency response team such as CERT/CC, etc.
  • Post the information to mailing lists such as Bugtraq.
  • Provide the information to a vulnerability analysis team.

Alternatively, you may contact the CVE project to Request a CVE-ID and we will provide you with our "CVE Identifier Reservation Guidelines for Researchers" and work with you to assign a CVE-ID number while you work through the process of publicly disclosing the vulnerability. Please review the Researcher Responsibilities.

 
Page Last Updated: October 01, 2014