New CVE-ID Format as of January 1, 2014 — learn more
Provides an overview of CVE Identifiers and links to various documents within three areas: CVE Identifiers Defined, Creation of a CVE Identifier, and Obtaining CVE Identifiers.
A description of the process of how CVE Identifiers are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Content Team.
Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included.
This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE’s major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action.
When duplicate CVE Identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE’s Primary CVE Numbering Authority must be consulted to choose the proper identifier number to use. This document details the criteria MITRE uses for selecting the preferred identifier.
Includes an introduction to the CVE Identifier reservation process, defines CVE Numbering Authorities (CNAs), provides the requirements for being a CNA, describes CNA tasks, explains the communication requirements from the CNA to MITRE, defines the role of vendor liaisons, and explains the researcher’s responsibilities in the process. Also included is a list of the several organizations currently participating as CNAs.
Each CVE name includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source’s Web site, and (3) notes the associated CVE name. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Identifiers.
A list of the organizations from the information security community that provide us with vulnerability information that helps MITRE create new CVE Identifiers.
Provides tips for searching or viewing the Master Copy of the CVE List hosted on the CVE Web site. Also notes that advanced searching of CVE is available on the U.S. National Vulnerability Database (NVD) where you may search CVE by individual CVE Identifier (CVE-ID) number; by operating system; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.
Description of the formal "CVE Compatibility Process," including Phase 1, the Declaration Phase, which consists of registering an organization's declaration of intent to make their product(s) and/or service(s) CVE-compatible, and Phase 2, the Evaluation Phase, which requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the CVE Compatibility Requirements document. September 30, 2009 - Robert A. Martin, Steven M. Christey, and Robert J. Roberge
Provides the detailed requirements against which an information product or service may become CVE-Compatible. Version 1.2, October 1, 2009 - Robert A. Martin and Steven M. Christey
This document clarifies the roles, tasks, and qualifications for CVE Editorial Board members. Roles include technical members, liaisons, advocates, and emeritus members.
This document formalizes the high-level process that is used for identifying, evaluating, and adding new members to the CVE Editorial Board.
Sample Procurement Documents
CVE-Relevant Software Supplier Requirements (SWSupplier)
This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. - November 2004
CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)
This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. - November 2004
CVE-Relevant Remediation Tool Requirements (IAremedtool)
This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. - November 2004
CVE Introductory Brochure
A brief two-page introduction to the CVE effort. February 2013.
PDF (73 K)
This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead
Making Security Measurable Podcast
A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007
MP3 (9.3 MB)
Vulnerability Type Distributions in CVE (2001-2006)
This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager
Transformational Vulnerability Management Through Standards
This technical report on the MITRE Web site discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead - May 2005
Security Patches Got You Running in Circles?
Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, CVE Compatibility Lead
A Progress Report on the CVE Initiative
Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA. June 24, 2002 - Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead
Managing Vulnerabilities in Networked Systems
This article about CVE was published in IEEE Computer Society Computer Magazine, Vol. 34, No. 11. November 2001 - Robert A. Martin, CVE Compatibility Lead
CVE Behind the Scenes: The Complexity of Being Simple
Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings, Las Vegas, Nevada, USA. July 11, 2001 - Steve Christey, co-creator of CVE and editor of the CVE List
Vulnerabilities of Developing on the Net
This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering. It was also presented at the U.S. Air Force's Software Technology Support Center’s Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 - Robert A. Martin, CVE Compatibility Lead
CVE-Technical Details of CVE
This briefing was presented at the Canadian Information Technology Security Symposium, Ottawa, Canada. June 22, 2000 - Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager
Common Vulnerabilities and Exposures (CVE)
An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 - Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker
White Paper: "The Development of a Common Vulnerabilities and Exposures List"
This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection, Purdue University, West Lafayette, Indiana, USA. September 8, 1999 - Steven M. Christey, David W. Baker, William H. Hill, David E. Mann
White Paper: "Towards a Common Enumeration of Vulnerabilities"
This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 - David E. Mann and Steven M. Christey, co-creators of the CVE List