A glossary of terms used by the CVE Program.


Ambiguous. See CVE ID, CVE Record, CVE List, CVE Program.

CVE Board

The organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program.


A unique, alphanumeric identifier assigned by the CVE Program. Each identifier references a specific vulnerability. A CVE ID enables automation and multiple parties to discuss, share, and correlate information about a specific vulnerability, knowing they are referring to the same thing.

CVE List

The catalog of all CVE Records identified by, or reported to, the CVE Program.

CVE Numbering Authority (CNA)

An organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

CVE Numbering Authority of Last Resort (CNA-LR)

An organization authorized within the CVE Program to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the Scope of another CNA. A CNA-LR may assume responsibility for assigning a CVE ID and publishing the associated CVE Record based on policies defined by the CVE Program.

CVE Program

An international, community-driven effort to catalog Vulnerabilities in accordance with the effort’s rules and guidelines.

CVE Record

The descriptive data about a Vulnerability associated with a CVE ID, and provided by a CNA. This data is provided in multiple human and machine-readable formats.

A CVE Record is associated with one of the following states:

See also:

CVE Working Group

An organization created and administered by the CVE Board to accomplish specific objectives through collaboration with CVE stakeholders and the general public where appropriate. Each working group is required to have a charter which defines its area of responsibility, membership, and objectives.

Reserved but Public (RBP)

A CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.


An organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CVE CNA, CNA-LR, or another Root.


The set of hardware, software, or services for which an organization in the CVE Program has a distinct responsibility.


An organization authorized within the CVE Program that hosts and maintains the CVE Program’s infrastructure, and provides administrative and logistical support for the CVE Board, CVE Working Groups, and other structures of the CVE Program.

Top-Level Root (TL-Root)

A Root that does not report to another Root, and is thus responsible to the CVE Board.


A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

Page Last Updated or Reviewed: September 28, 2021