CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.
CVE Program Terminology Updated: “CVE Record,” “Top-Level Root,” & More
Share or comment
The CVE Program recently made some changes to program terminology that are of interest to the CVE community. The changes, which will be rolled out across the CVE website and on CVE’s social media platforms in the coming months, were made to optimize CVE content on the website for users and to ensure clear and concise communications with the community.
All terms and definitions discussed below can be found on the CVE Program Terminology page on the CVE website.
A summary of the most significant new terminology and updated definitions is below:
New Terminology
Authorized Data Publisher (ADP) — “An organization authorized within the CVE Program to enrich a CVE Record previously published by a CNA with additional, related information (e.g., risk scores, affected product lists, and versions [i.e., references, translations]) within a defined Scope.”
This new term introduces a new type of CVE partner. The two other partner types are individual CNAs and Root CNAs.
CVE Record — “The descriptive data about a Vulnerability associated with a CVE ID, provided by a CNA, and enriched by ADPs. This data is provided in multiple human and machine-readable formats.”
This new term replaces “CVE Entry.” The new term better describes the multiple components that are included in a published CVE Record (see CNA Rules, Section 8.1); clarifies the three states of a CVE Record (Reserved, Published, Rejected); and significantly reduces the confusion for the public between CVE ID and the former CVE Entry term.
Published — “When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.”
This new term replaces “Populated” as the state of a CVE Record. The other two states of a CVE Record, Reserved and Rejected, remain the same.
Top-Level Root CNA (TLR-CNA) — “A Root CNA that does not report to another Root CNA, and is thus responsible to the CVE Board.”
This is a new CNA role; currently, MITRE and CISA are the only TLR-CNAs. Read the CVE Program’s news release about CISA becoming a TLR-CNA for additional information about TLR-CNAs.
Updated Definitions
CNA of Last Resort (CNA-LR) — “An organization authorized within the CVE Program to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the Scope of another CNA. A CNA-LR may assume responsibility for assigning a CVE ID and publishing the associated CVE Record based on policies defined by the CVE Program.”
This is a new CNA role that was first introduced in CNA Rules, Version 3.0. Each Top-Level Root CNA and Root CNA is, or has, its own CNA-LR.
Reserved but Public (RBP) — “A CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.”
Root CNA — “An organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CVE CNA, CNA-LR, an ADP, or another Root CNA.”
Scope — “The set of hardware, software, or services for which an organization in the CVE Program has a distinct responsibility.”
Secretariat — “An organization authorized within the CVE Program that hosts and maintains the CVE Program’s infrastructure, and provides administrative and logistical support for the CVE Board, CVE Working Groups, and other structures of the CVE Program.”
This CVE Program role was first introduced in CNA Rules, Version 3.0.
Vulnerability — “A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.”
More Definitions
This article discusses only the most significant terminology and definitions changes. For a complete list of the terms and definitions currently in use by the CVE Program, visit the Terminology page on the CVE website.
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
| - | The CVE Team |
| November 11, 2020 | |
|
CVE Request Web Form (select “Other” from dropdown) |
Recent Posts
- Our CVE Story: The Gift of CVE (guest author)
- Our CVE Story: CVE IDs for Simplifying Vulnerability Communications
- CVE Program Report for Calendar Year Q3-2020
- Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition? (guest author)
- CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices
- Our CVE Story: Rapid7 (guest author)
- More >>
