CVE Blog

Summary of your feedback about how Descriptions are used in CVE IDs

Comment on LinkedIn | Share this post

Thank you for your responses to our CVE blog question "What's your opinion on how Descriptions are used in CVE IDs?". We received five responses from various CVE users, and we look forward to hearing more from across the CVE community.

A business need for Description in CVE IDs

Overall, there appears to be a business need for CVE ID Descriptions. The details provided in the Descriptions strengthen an organization's business case by providing the details required to add credibility to the vulnerability claim and to differentiate between vulnerabilities. CVE ID Descriptions are not dependent on a reference website, improving availability. The Descriptions are searchable, users can track changes, and they can be used in different formats and presentations.

CVE ID Descriptions are often used internally to facilitate the discussion about a vulnerability. A concise CVE ID Description is easier to read on different devices then a linked reference. In addition, linked references are not always available, relevant information is not always evident, and websites do not display properly on different types of devices.

All the information provided in the CVE ID Description is seen as valuable, with the affected product/impacted version being the most important. The priorities of other fields can vary, however the more extensive or expensive the fix, the more all Description fields are important.

Moving forward

In October 2016, other entities were given the ability to write CVE ID Descriptions. Feedback on the quality of CVE ID Descriptions will be very useful for understanding the effects of that change.

If you find the content of CVE ID Descriptions does not match your needs, please let us know through the CVE Request Web Form by selecting “Other” from the dropdown.

Thank you again to all who participated.