Documents Archive

The documents listed on this page are archived and included here for historical purposes only. Please visit the main All Documents page for the most current CVE Program documentation.

    CVE List (Archived)
    CVE Numbering Authorities (CNAs) (Archived)
    CVE Working Groups (Archived)
    CVE Board (Archived)
    General (Archived)
    CVE Compatibility Program (Archived)
    Sample Procurement Docs (Archived)
CVE List (Archived)

CVE ID Syntax Change (Archived)

The CVE ID Syntax Change took effect on January 1, 2014. CVE IDs using the new numbering format were first issued beginning on January 13, 2015. This page was a central location of information about, and related to, the syntax change including the following: CVE ID Syntax Compliance (Archived), CVE ID Syntax Guidance (Archived), and CVE ID Syntax Test Data (Archived).


CVE Editor's Commentary (Archived)

An archive of selected opinions and commentary about vulnerabilities, software assurance, and related topics by the CVE List Content Team.


CVE Versions (Archived)

An archive of the old CVE versions, the last of which was issued in 2006. As new CVE Entries are now added to the CVE website on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List page.

CVE Numbering Authorities (CNAs) (Archived)

CVE Numbering Authorities (CNA) Rules, Version 2.0 (Archived)

This archived community-developed document for managing the CNA Program was replaced by the current version. Version 2.0 – January 1, 2018


CVE Overview for Prospective CNAs - 2017 (Archived)

Provided an overview of the CVE Program and the role of CNAs in 2017. Version 1.0 – September 29, 2017


CVE Numbering Authorities (CNA) Rules, Version 1.1 (Archived)

This archived community-developed document for managing the CNA Program was replaced by the current version. Version 1.1 – September 16, 2016


Researcher Reservation Guidelines, Version 0.1 (Archived)

Archived information on how to reserve a CVE ID(s) before publicizing a new vulnerability so that CVE IDs could be included in the initial public announcement of the vulnerability and could be used to track vulnerabilities. Version 0.1 – August 29, 2016

CVE Working Groups (Archived)

CNA Coordination Working Group (CNACWG) Charter, Version 1.1 (Archived)

This archived document was replaced by the current CNACWG Charter.

CVE Board (Archived)

CVE Board Charter, Version 2.6 (Archived)

This archived document provided information about the CVE Board and how it functions; Version 2.6 was in effect from May 9, 2018 through November 21, 2019.

Adding and Removing CVE Board Members (Archived)

This archived document was replaced by the membership information in the current Board Charter.

CVE Compatibility Program (Archived)

CVE Compatibility Program (Archived)

Includes documents from the previous CVE Compatibility Program of declarations and questionnaires that was discontinued.

CVE in Use (Archived)

This archived page includes examples of how CVE is being used in government and in the community.

Sample Procurement Documents (Archived)

CVE-Relevant Software Supplier Requirements (SWSupplier)

This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. – November 2004

Word (76K)


CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. – November 2004

Word (60K)


CVE-Relevant Remediation Tool Requirements (IAremedtool)

This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. – November 2004

Word (76K)

General (Archived)

Industry News Coverage (Archived)

Beginning in 1999, trade and general news media articles about CVE were summarized and posted on this collection of pages. In 2016, the Industry News Coverage page was consolidated into the main News page.


CVE Introductory Brochure (Archived)

An brief two-page introduction to the CVE effort that was last updated in February 2016.

PDF (61 K)


Unforgivable Vulnerabilities (Archived)

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

Slides (152 K)
White Paper (211 K)


Making Security Measurable Podcast (Archived)

A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007

MP3 (9.3 MB)


Vulnerability Type Distributions in CVE - 2001-2006 (Archived)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 – Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML
PDF (2 MB)


Transformational Vulnerability Management Through Standards (Archived)

This technical report on the MITRE Web site discusses the U.S Department of Defense"s (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead – May 2005

PDF (165K)
HTML


Security Patches Got You Running in Circles? (Archived)

Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, CVE Compatibility Lead

HTML


A Progress Report on the CVE Initiative - 2002 (Archived)

Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA. June 24, 2002 – Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead

HTML
PowerPoint (5.3MB)
PDF (510K)
Word (421K)


Managing Vulnerabilities in Networked Systems (Archived)

This article about CVE was published in IEEE Computer Society Computer Magazine, Vol. 34, No. 11. November 2001 – Robert A. Martin, CVE Compatibility Lead

PDF (129K)


CVE Behind the Scenes: The Complexity of Being Simple (Archived)

Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings, Las Vegas, Nevada, USA. July 11, 2001 – Steve Christey, co-creator of CVE and editor of the CVE List

PowerPoint (813K)


Vulnerabilities of Developing on the Net (Archived)

This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering. It was also presented at the U.S. Air Force's Software Technology Support Center’s Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 – Robert A. Martin, CVE Compatibility Lead

HTML
PDF (3MB)


Technical Details of CVE - 2000 (Archived)

This briefing was presented at the Canadian Information Technology Security Symposium, Ottawa, Canada. June 22, 2000 – Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager

PowerPoint (105K)


Common Vulnerabilities and Exposures (CVE) - 1999 (Archived)

An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 – Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker

PowerPoint (87K)


White Paper: "The Development of a Common Vulnerabilities and Exposures List" (Archived)

This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection, Purdue University, West Lafayette, Indiana, USA. September 8, 1999 – Steven M. Christey, David W. Baker, William H. Hill, David E. Mann

PowerPoint (65K)
HTML


White Paper: "Towards a Common Enumeration of Vulnerabilities" (Archived)

This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, USA. January 21-22, 1999 – David E. Mann and Steven M. Christey, co-creators of the CVE List

HTML
PostScript

Page Last Updated or Reviewed: August 19, 2020