About CVE Identifiers

CVE Identifiers Defined

CVE Identifiers (also referred to by the community as "CVE IDs," "CVE entries," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cyber security vulnerabilities.

Each CVE Identifier includes the following:

  • CVE Identifier number with four or more digits in the sequence number portion of the ID (e.g., "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories).

Learn more about:

Requesting CVE Identifiers

CVE content updates & data feeds

Updating existing information or adding new information to a CVE Identifier description or reference

How CVE Identifier descriptions are created/compiled

Dates included in CVE Identifiers

What does "RESERVED" signify in a CVE Identifier?

Creation of a CVE Identifier

The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA), and posted on the CVE website by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as CVE Editor and Primary CNA. The CVE Board oversees this process.

The documents below explain CVE Identifiers and the creation of identifiers in more detail:

CVE Numbering Authorities

Defines the role and responsibilities of CVE Numbering Authorities (CNAs); shows the number and types of participating CNAs from around the world; provides documentation for CNAs, including the CNA Rules document and Researcher Reservation Guidelines (see below); and provides details of how to become a CNA.


CNA Rules, Version 1.1 – September 16, 2016

In addition to information specifically for and about CNAs, this document also includes the following detailed information about the CVE ID creation process:


Researcher Reservation Guidelines, Version 0.1 – August 29, 2016

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.


CNA Coverage

Provides a list of the products and product categories covered by all CVE Numbering Authorities (CNAs), including MITRE as Primary CNA.


CVE References

Each CVE Identifier includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Identifier. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Identifiers.


MITRE's CVE Data Sources - Current

This page provides a list of the sources used by MITRE-only to assign CVE IDs as the Primary CNA.


FAQs

FAQs from the Frequently Asked Questions page also address specific questions about CVE Identifiers on the following topics:

Archived Information

CVE ID Syntax Change (Archived)

The CVE ID Syntax Change took effect on January 1, 2014. CVE IDs using the new numbering format were first issued beginning on January 13, 2015. CVE IDs with 7 digits are actively being assigned by the DWF CNA as of May 24, 2016. This page is a central location of information about, and related to, the syntax change including the following: CVE ID Syntax Compliance, CVE ID Syntax Guidance, and CVE ID Syntax Test Data.


How We Build the CVE List (Archived)

A description of the process of how CVE Identifiers are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Content Team.


CVE Editorial Policies (Archived)

CVE Editorial Policies, also Content Decisions (CDs), are the guidelines the CVE Content Team uses to ensure that CVE Identifiers are created in a consistent fashion, independent of who is doing the creation. This page is a central location of information about, and related to, CDs including the following: Editorial Policies Overview; CVE Abstraction Content Decisions: Rationale and Application; and Handling Duplicate Public CVE Identifiers.


CVE Editor's Commentary (Archived)

An archive of selected opinions and commentary about vulnerabilities, software assurance, and related topics by the CVE List Content Team.


CVE Data Sources Archive

This page provides an archive list of the organizations from the information security community that provided us with vulnerability information that helped MITRE create new CVE Identifiers from 1999 through November 2013.


CVE Versions Archive

This page provides an archive of the old CVE versions, the last of which was issued in 2006. As new CVE Identifiers are now added to the CVE website on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List Master Copy page.

Requesting CVE Identifiers

To receive a CVE ID for your issue you must contact a CVE Numbering Authority (CNA). See Request a CVE Identifier for details.

Page Last Updated or Reviewed: July 20, 2017