The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.

Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.

Why is a CVE entry marked as "RESERVED" when a CVE ID is being publicly used?

Comment on LinkedIn | Share this post

A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet included in the CVE entry. Often, this is because the original requester of the CVE ID assignment has not sent an update to MITRE with the information needed to populate the CVE entry.

If you are aware of a CVE ID that is being used publicly but is not yet included in the CVE List, you can request that the CVE ID be updated through the CVE Request web form. MITRE will coordinate with the original requester to have the missing public information added to the entry.

CVE IDs are made public on countless forums, mailing lists, and other publications. CVE ID entries cannot be published without public references and other descriptive information. Searching the Internet for any public reference to a reserved CVE ID is a non-trivial problem to solve, and MITRE must rely on the community to assist with updating CVE information as it becomes public. MITRE is looking for new ways to automate and expand discovery processes, but the scale and breadth of the searchable space is growing exponentially. We hope that stakeholders will assist with this process by notifying MITRE when they see a discrepancy, and MITRE will work to quickly and accurately update outdated entries that are reported to them.

Do you have a suggestion for how MITRE could more effectively find public references scattered around the (ever-growing) Internet? You can share your ideas through the CVE Request web form by selecting “Other” from the dropdown.