|
|||||
The CVE Program has begun transitioning to the all-new CVE website at its new CVE.ORG web address. The phased quarterly transition process began on September 29, 2021 and will last for up to one year. Items moved to the new website will no longer be maintained on this website. Learn more about the transition here.
CVE List FAQs |
Includes information about CVE Record Basics, CVE List Basics, and Using the CVE List. |
About CVE Records |
Provides an overview of CVE Records and links to various documents within three areas: CVE Records Defined, Creation of a CVE Record, and Requesting CVE Identifiers (CVE IDs). |
Search Tips |
Provides tips for searching or viewing CVE Records on the CVE List hosted on this CVE website. |
How to Contact the CVE Program to Update Information in CVE Records |
Instructions for how to request updates to CVE Records on the CVE List. Also included are instructions for contacting the U.S. National Vulnerability Database (NVD) about CPE information and CVSS scores. |
CVE References |
Each CVE Record includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Record. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Records. |
MITRE CNA of Last Resort (CNA-LR) PGP Key |
PGP key last updated: March 2020 Fingerprint: F59F 1525 57C5 3CE4 BEAE B86E F357 D0E9 903E 4008 Key ID: 903E4008 | Key size: 4096 |
CVE Numbering Authority (CNA) Rules, Version 3.0 |
Includes detailed information for CNAs about Assignment Rules, including the CVE Program’s definition of “vulnerability” and the requirements for assigning a CVE ID; CVE Record (previously “CVE Entry”) requirements including entry information, prose description, reference(s), and formatting; appeals process; definitions of CVE ID states and CVE Record states; the process to correct assignment issues or update CVE Records; and disclosure and embargo policies; defining a CNA’s scope; as well as the four categories of CNAs (Sub-CNAs, Root CNAs, CNAs of Last Resort (CNA-LR), Program Root CNA, and Secretariat) and assignment, communication, and administration rules for each. Version 3.0 – March 5, 2020 (NOTE: updated annually or as needed) |
CNA Resources |
Links to resources and information for CNAs. |
End-of-Life Assignment Process |
The CVE Program’s assignment process for end-of-life products. |
CNA Policies |
|
EOL Policy |
The CVE Program’s policy and procedure for end-of-life (EOL) products. |
RBP CVE IDs Policy |
The CVE Program’s policy and procedure for Reserved but Public (RBP) CVE IDs. |
Inactive CNA Policy |
The CVE Program’s policy and procedure for inactive CNAs. |
Assignment |
|
CVE Assignment Rules |
The nature and accuracy of the counting process underpins the value of a CVE Record (previously “CVE Entry”). Correct assignment reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the assignment process helps to differentiate between those vulnerabilities that are unique. |
CVE Record (previously “CVE Entry”) Information Requirements |
Provides the required format that CNAs must use to provide CVE Record information for assigning CVE IDs. |
Researcher Reservation Guidelines |
Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability. |
Key Details Phrasing |
Key details phrasing guidance for writing CVE Record Descriptions (hosted on GitHub). |
Corrections & Updates |
|
Process for CNAs to Correct Assignment Issues or Update CVE Records |
There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process. |
Submissions |
|
Submitting CVE Record Info to the CVE Program |
Explains the two methods to submit “CVE Record information” to the CVE Program: (1) CVE Request Web Form, and (2) Git. NOTE: Detailed guidance for setting up the correct environment to submit a CVE Record through GitHub is included below in the New CNA Onboarding section. |
NOTE: The slides and videos below should be reviewed by new CNAs in the order presented prior to their onboarding meeting with a Root.
CVE Program Overview English: slides | video Japanese: slides Spanish: slides |
An introduction to the CVE® Program, including what is CVE, goals of the program, who operates the program, and program organization. |
Becoming a CNA slides English: slides | video Japanese: slides Spanish: slides |
An introduction to becoming a CVE Numbering Authority (CNA) with an overview of what defines a CNA, how the CVE Program is organized, how to organize your CNA program, how to define the scope of what you will cover, internal CNA processes, CNA resources, and ways to get involved in the CNA community. |
CNA Processes English: slides | video Japanese: slides Spanish: slides |
Guidance for CNAs of how to get a block of CVE IDs, assign vulnerabilities to CVE IDs, submit CVE IDs, update CVE Records (previously “CVE Entries”) when necessary, escalate issues where there is a dispute, reject CVE IDs when needed, dispute a CVE ID, and the process for handling expiring CVE IDs. |
Assigning CVE IDs English: slides | video Japanese: slides Spanish: slides |
Describes in detail how CNAs assign CVE IDs to vulnerabilities. |
CVE Record (previously “CVE Entry”) Creation English: slides | video Japanese: slides Spanish: slides |
Once a CNA has assigned a CVE ID(s), performed coordination to fix the vulnerability, and published the vulnerability information, the next step is to populate the CVE Record (previously “CVE Entry”). This video details how CNAs create CVE Records. |
CVE Record (previously “CVE Entry”) GitHub Submissions English: slides Spanish: slides | Describes the process for CNAs to submit CVE Records using GitHub. |
CVE Record Submission Process to the MITRE Top-Level Root Only English: slides | video Japanese: slides Spanish: slides |
Guidance for how to submit CVE Record (previously “CVE Entry”) to the MITRE Top-Level Root (TL-Root). |
NOTE: The documents below (hosted on GitHub) walk through how to set up a local environment to submit CVE Records (previously “CVE Entry”) in JSON format to CVE List via git. The Initial Tools document that walks through basic info and requirements should be read first, followed by one of the other three documents to finish setup based on your desired workflow.
Initial Tools: Overview and First Steps |
Discusses the several steps in setting up the correct environment to submit CVE Record (previously “CVE Entry”) information through GitHub using a variety of tools. |
Command Line Interface Setup |
Describes how to submit new JSON files to the CVE GitHub repository using the git command line interface as opposed to a GUI-interface. |
GitHub Desktop GUI Setup |
Describes the GitHub submission process for submitting new CVE Record (previously “CVE Entry”) using GitHub Desktop, a free GUI-based software. |
SourceTree GUI Setup |
Describes the GitHub submission process for submitting new CVE Record (previously “CVE Entry”) using SourceTree, a free GUI-based software. |
CVE Request Web Form FAQs |
Includes questions and answers on web form basics, using the web form, and after submitting a web form request. |
CVE Request Web Form Overview |
This presentation provides an overview of how to use the CVE Request web form, which is used to request CVE IDs from the CVE Program Root CNA, request an update to an existing CVE Record (previously “CVE Entry”), provide notification about a vulnerability publication, or submit comments. |
CVE Request Web Form Tip Sheet |
A brief overview of information and tips for using each of the CVE Request web forms: Request a CVE ID; Request a block of IDs (for CNAs only); Notify CVE about a publication; Request an update to an existing CVE; and Other. |
CNACWG Charter |
This document provides information about the CNA Coordination Working Group (CNACWG) including its goals, operating principles, and objectives. Version 1.4 – July 28, 2021 |
QWG Charter |
This document provides information about the CVE Quality Working Group (OCWG) including its goals, operating principles, and objectives. Version 1.0 – June 24, 2021 |
AWG Charter |
This document provides information about the CVE Automation Working Group (AWG) including its goals, operating principles, and objectives. Version 1.0 – July 14, 2020 |
SPWG Charter |
This document provides information about the CVE Strategic Planning Working Group (SPWG) including its goals, operating principles, and objectives. Version 1.3 – June 15, 2020 |
OCWG Charter |
This document provides information about the CVE Outreach and Communications Working Group (OCWG) including its goals, operating principles, and objectives. Version 1.0.2 – March 23, 2020 |
CVE ID Allocation Service Specification |
Specification for the CVE ID Allocation Service developed by the CVE Automation Working Group (AWG). Version 1.0 – February 12, 2019 |
SPWG Repositories & Projects |
Repositories and projects developed by the CVE Strategic Planning Working Group (SPWG). |
AWG Repositories & Projects |
Repositories and projects developed by the CVE Automation Working Group (AWG). |
CVE Board Charter |
This document provides information about the CVE Board and how it functions, including Board structure, membership, working groups, and operations. A member nomination form is also included. Version 3.3 – August 20, 2020 |
CVE Program Videos |
Includes a CVE Program Overview video for all audiences, as well as several videos of detailed processes and procedures guidance for those organizations that have signed on to participate as official CVE Numbering Authorities (CNAs). |
CVE Compatibility Guidelines (White Paper) |
This white paper provides detailed guidelines for making cybersecurity product(s) or service(s) compatible with CVE. September 29, 2017 |
CVE IDs and How to Get Them (Presentation) |
This briefing was presented at the “Wall of Sheep” by the CVE Team at DEF CON 25 in Las Vegas, Nevada, USA. July 28, 2017 |
Archived Documents |
Documents listed on this archive page are no longer current and are retained on the CVE website for historical purposes only. |