CVE Editorial Policies

CVE Editorial Policies are the guidelines the CVE program uses to ensure that CVE Entries are created in a consistent fashion, independent of which CVE Numbering Authority (CNA) is doing the creation. The documents below explain this process in more detail:

CVE Counting Rules

The nature and accuracy of the counting process underpins the value of a CVE Entry. Correct counting reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the counting process helps to differentiate between those vulnerabilities that are unique. Decision trees are included.


CVE Assignment Information Format

Provides the required format that CNAs must use to provide CVE information for assigning CVE Entries. An example is included.


Process to Correct Counting Issues

There are many places where the CVE Entry assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE Entry assignment goes awry, and the corresponding resolution process.


CVE Numbering Authorities

All CVE Entries are assigned by CNAs. This page defines the role of CNAs; provides documentation for CNAs, including links to the CNA Rules and Researcher Responsibilities documents; and describes how to become a CNA.

Page Last Updated or Reviewed: December 11, 2017