CVE List Rules and Guidance

CVE List rules and guidance are how the CVE Program ensures that CVE Entries are created in a consistent fashion, independent of which CVE Numbering Authority (CNA) is doing the creation. The documents below explain this process in more detail:


CVE Counting Rules

The nature and accuracy of the counting process underpins the value of a CVE Entry. Correct counting reduces the likelihood of duplicate CVE Entries being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the counting process helps to differentiate between those vulnerabilities that are unique. Decision trees are included.


CVE Assignment Information Format

Provides the required format that CNAs must use to provide CVE information for assigning CVE Entries. An example is included.


Process to Correct Counting Issues

There are many places where the CVE Entry assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE Entry assignment goes awry, and the corresponding resolution process.


CVE Numbering Authorities

All CVE Entries are assigned by CNAs. This page defines the role of CNAs; provides access to documentation for CNAs, including links to the CNA Rules and Submitting CVE Assignment Information to the CVE Team documents; and describes how to become a CNA.

Page Last Updated or Reviewed: December 15, 2017