Terminology

A glossary of terms used by the CVE Program.

Authorized Data Publisher (ADP)

An organization authorized within the CVE Program to enrich a CVE Record previously published by a CNA with additional, related information (e.g., risk scores, affected product lists, and versions [i.e., references, translations]) within a defined Scope.

Common Vulnerabilities and Exposures (CVE)

Ambiguous. See CVE ID, CVE Record, CVE List, CVE Program.

CVE Board

The organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program.

CVE ID

A unique, alphanumeric identifier assigned by the CVE Program. Each identifier references a specific vulnerability. A CVE ID enables automation and multiple parties to discuss, share, and correlate information about a specific vulnerability, knowing they are referring to the same thing.

CVE List

The catalog of all CVE Records identified by, or reported to, the CVE Program.

CVE Numbering Authority (CNA)

An organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

CVE Numbering Authority of Last Resort (CNA-LR)

An organization authorized within the CVE Program to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the Scope of another CNA. A CNA-LR may assume responsibility for assigning a CVE ID and publishing the associated CVE Record based on policies defined by the CVE Program.

CVE Program

An international, community-driven effort to catalog Vulnerabilities in accordance with the effort’s rules and guidelines.

CVE Record

The descriptive data about a Vulnerability associated with a CVE ID, provided by a CNA, and enriched by ADPs. This data is provided in multiple human and machine readable formats.

A CVE Record is associated with one of the following states:

See also:

CVE Working Group

An organization created and administered by the CVE Board to accomplish specific objectives through collaboration with CVE stakeholders and the general public where appropriate. Each working group is required to have a charter which defines its area of responsibility, membership, and objectives.

Reserved but Public (RBP)

A CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.

Root CNA

An organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CVE CNA, CNA-LR, an ADP, or another Root CNA.

Scope

The set of hardware, software, or services for which an organization in the CVE Program has a distinct responsibility.

Secretariat

An organization authorized within the CVE Program that hosts and maintains the CVE Program’s infrastructure, and provides administrative and logistical support for the CVE Board, CVE Working Groups, and other structures of the CVE Program.

Top-Level Root CNA (TLR-CNA)

A Root CNA that does not report to another Root CNA, and is thus responsible to the CVE Board.

Vulnerability

A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

Page Last Updated or Reviewed: October 26, 2020