The CVE Program’s definition of the term “vulnerability” is stated in Section 7.1 of the CVE Numbering Authority (CNA) Rules, Version 3.0:

What Is a Vulnerability?

The CVE Program does not adhere to a strict definition of a vulnerability. For the most part, CNAs are left to their own discretion to determine whether something is a vulnerability. Root CNAs may provide additional guidance to their child CNAs. This allows the program to adapt to definitions used in different industries, legal regimes, and cultures.

7.1.1 If a product owner considers an issue to be a vulnerability in its product, then the issue MUST be considered a vulnerability, regardless of whether other parties (e.g., other vendors whose products share the affected code) agree.

7.1.2 If the CNA determines that an issue violates the security policy of a product, then the issue SHOULD be considered a vulnerability.

7.1.3 If a CNA receives a report about a new vulnerability that has a negative impact, then the reported vulnerability MAY be considered a vulnerability.

See Section 7: Assignment Rules of the CNA Rules for detailed information about how CVE IDs are assigned to vulnerabilities. To request a CVE ID for a vulnerability, contact the appropriate CNA on the Request CVE IDs page.

Page Last Updated or Reviewed: March 23, 2020