MITRE's Data Sources as Primary CNA

The information below applies to CVE IDs assigned by MITRE only, functioning as the Primary CNA. In addition to responding to direct requests for CVE ID numbers, MITRE also monitors specific data sources to ascertain issues that should require the assignment of a CVE ID.

CVE separates data sources into two major groups:

  1. Full Coverage – For nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. Although a source is named as Full Coverage, we purposely use the phrasing "nearly all issues disclosed" to allow the flexibility to potentially postpone coverage of minor issues.
  2. Partial Coverage – The source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments.

We further sub-divide both of these lists into two sub-lists:

NOTE: As Primary CNA, MITRE actively monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings, and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically.

MITRE's current lists of full-coverage and partial-coverage sources of data are included below.

Full Coverage Sources - Vendor Related

Full Coverage Sources - Other

Partial Coverage Sources - Vendor Related

Partial Coverage Sources - Other

For questions, or assistance about how to use the information on this page, please contact us.

Page Last Updated or Reviewed: January 13, 2017