The original concept for what would become the CVE List was presented by the co-creators of CVE, MITRE Corporation’s David E. Mann and Steven M. Christey, as a white paper entitled Towards a Common Enumeration of Vulnerabilities at the 2nd Workshop on Research with Security Vulnerability Databases on January 21-22, 1999 at Purdue University in West Lafayette, Indiana, USA.

From that original concept, a working group was formed (which would later become the initial 19-member CVE Editorial Board), and the original 321 CVE Entries were created. The CVE List was officially launched for the public in September 1999.

Widespread Adoption of CVE by the Community

The cybersecurity community endorsed the importance of CVE via "CVE-compatible" products and services from the moment CVE was launched in 1999. As quickly as December 2000 there were 29 organizations participating with declarations of compatibility for 43 products. Today, those numbers have increased significantly with numerous products and services from around the world incorporating CVE Entries.

Another significant factor to adoption is the ongoing inclusion of CVE IDs in security advisories. Numerous major OS vendors and other organizations from around the world include CVE IDs in their alerts to ensure that the international community benefits by having the CVE IDs as soon as a problem is announced. In addition, CVE Entries are used to uniquely identify vulnerabilities in public watch lists such as the OWASP Top 10 Web Application Security Issues, in the report text and infographics of Symantec Corporation's "Internet Security Threat Report, Volume 19," and are rated by severity in the Common Vulnerability Scoring System (CVSS). CVE IDs are also frequently cited in trade publications and general news media reports regarding software bugs; such as CVE-2014-0160 for "Heartbleed."

Use of CVE by U.S. agencies was recommended by the National Institute of Standards and Technology (NIST) in "NIST Special Publication (SP) 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme," which was initially released in 2002 and updated in 2011. In June 2004, the U.S. Defense Information Systems Agency (DISA)issued a task order for information assurance applications that requires the use of products that use CVE Identifiers.

CVE has also been used as the basis for entirely new services. NIST's U.S. National Vulnerability Database (NVD)—a "comprehensive cybersecurity vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources"—is synchronized with, and based on, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE IDs. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance) and CVE is one of the open community standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. Open Vulnerability and Assessment Language (OVAL), operated by the Center for Internet Security, is a standard for determining the machine state of a computer systems using community-developed OVAL Vulnerability Definitions that are based primarily on CVE Entries. MITRE's Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based in part on the 100,000+ CVE Entries on the CVE List.

And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), was based upon the former CVE Compatibility Program’s archived Requirements and Recommendations for CVE Compatibility document.

CVE Continues to Grow

Today, CVE is actively expanding the CVE Numbering Authorities (CNAs) Program. CNAs are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA. Numerous organizations from around the world already participate as CNAs, with more and more organizations deciding to join the CVE effort and become a CNA.

Page Last Updated or Reviewed: December 10, 2018