Primary CNA's Data Sources (Archived)

IMPORTANT: This page has been moved to "Archive" status. Refer to the Request CVE IDs page for the most current information about how CVE IDs are assigned.


The information below applies to CVE Entries assigned by the Primary CNA only. In addition to responding to direct requests for CVE ID numbers, the Primary CNA also monitors specific data sources to ascertain issues that should require the assignment of a CVE Entry.

CVE separates data sources into two major groups:

  1. Full Coverage – For nearly all issues disclosed by the source that could be associated with a CVE Entry, there will be an associated CVE Entry, regardless of the criticality of the issue. Although a source is named as Full Coverage, we purposely use the phrasing "nearly all issues disclosed" to allow the flexibility to potentially postpone coverage of minor issues.
  2. Partial Coverage – The source will be actively monitored but issues will be processed and associated with CVE Entries based on a variety of editorial judgments.

We further sub-divide both of these lists into two sub-lists:

NOTE: The Primary CNA also monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings, and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically.

The Primary CNA's current lists of full-coverage and partial-coverage sources of data are included below.

Full Coverage Sources - Vendor Related

Full Coverage Sources - Other

Partial Coverage Sources - Vendor Related

Partial Coverage Sources - Other

For questions, or assistance about how to use the information on this page, please contact us.

Page Last Updated or Reviewed: January 29, 2019