CVE in Use

As the international industry standard for information security vulnerability and exposure names, CVE Identifiers are included in numerous products and services and are the foundation of others.

CVE-COMPATIBLE PRODUCTS

Use of CVE-IDs enhances these areas of enterprise security:

Sponsor: CS&C

National Vulnerability Database

National Vulnerability Database (NVD) provides:

Sponsor: CS&C

GOVERNMENT

US-CERT Bulletins

Uses CVE-IDs to uniquely identify the vulnerabilities they report.

DISA Information Assurance Vulnerability Alerts

CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA's public Security Technical Implementation Guides (STIG) Web site.

Security Content Automation Protocol (SCAP)

CVE is one of ten existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.

U.S. Government Agencies

National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two 2002 Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" & "800-40: Procedures for Handling Security Patches."

DoD Contracts

U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.

 

COMMUNITY

CVE Numbering Authorities (CNAs)

Community members such as OS and software vendors, third-party coordinators, and researchers authorized to assign CVE-IDs to new issues.

Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)

CVE was adopted by the International Telecommunication Union's (ITU-T) Cybersecurity Rapporteur Group's as a part of its "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing the X.CVE recommendation above that is based upon CVE's current Compatibility Requirements document, and any future changes to those will be reflected in subsequent updates to X.CVE

Common Vulnerability Scoring System (CVSS)

The severity of CVE-IDs are rated by Forum of Incident Response and Security Teams' (FIRST) CVSS. NVD provides a CVSS calculator for CVE-IDs.

Common Weakness Enumeration (CWE™)

A formal dictionary of software weaknesses types, CWE is based in part on the CVE List.

Open Vulnerability and Assessment Language (OVAL®)

A standard for determining vulnerability and configuration issues on computer systems, CVE-IDs are the primary references for "OVAL Vulnerability Definitions," which test systems for the presence of CVEs.

Sponsor: CS&C

 
Page Last Updated: April 16, 2015