About CVE Entries

CVE Entries (also referred to by the community as "CVE IDs," "CVE Identifiers," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cybersecurity vulnerabilities. Information is included about the topics below.

    CVE Entries Defined
    Creation of a CVE Entry
    Requesting CVE IDs
    Archived Information

CVE Entries Defined

Each CVE Entry includes the following:

  • CVE ID number with four or more digits in the sequence number portion of the ID (e.g., "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories).

States of CVE Entries

More details about?

How do I?

Other questions?

Creation of a CVE Entry

The process of creating a CVE Entry begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), a Description and References are added by the CNA, and then the CVE Entry is posted on the CVE website by the CVE Team.

The documents below explain the creation of identifiers in more detail:

CVE Editorial Policies

CVE Editorial Policies, which are the guidelines the CVE program uses to ensure that CVE Entries are created in a consistent fashion, independent of which CVE Numbering Authority (CNA) is doing the creation, include the following:


CVE Numbering Authorities

Defines the role and responsibilities of CNAs; shows the number and types of participating CNAs from around the world; provides documentation for CNAs, including the CNA Rules document and Researcher Reservation Guidelines; and provides details of how to become a CNA.


CNA Coverage

Provides a list of the products and product categories covered by all CVE Numbering Authorities (CNAs), including the Primary CNA.


CVE References

Each CVE Entry includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Identifier. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Entries.


Primary CNA's CVE Data Sources - Current

This page provides a list of the sources used to assign CVE IDs by the Primary CNA-only.


FAQs

FAQs from the Frequently Asked Questions page also address specific questions about CVE Entries on the following topics:

Requesting CVE IDs

To receive a CVE ID for your issue you must contact a CVE Numbering Authority (CNA). See Request a CVE ID for details.

Archived Information

CVE ID Syntax Change (Archived)

The CVE ID Syntax Change took effect on January 1, 2014. CVE IDs using the new numbering format were first issued beginning on January 13, 2015. CVE IDs with 7 digits are actively being assigned by the DWF CNA as of May 24, 2016. This page is a central location of information about, and related to, the syntax change including the following: CVE ID Syntax Compliance (Archived), CVE ID Syntax Guidance (Archived), and CVE ID Syntax Test Data (Archived).


How We Build the CVE List (Archived)

A description of the process of how CVE Entries are added to the CVE List, including the roles of CVE Numbering Authorities (CNA) and the CVE Team.


CVE Content Decisions (Archived)

Prior to the current CVE Editorial Policies that are based upon the CVE Counting Rules, the CVE program used the CVE Content Decisions (CDs) described in these documents to assign CVE IDs: CVE Content Decisions Overview (Archived); CVE Abstraction Content Decisions: Rationale and Application (Archived); and Handling Duplicate Public CVE Identifiers (Archived).


CVE Editor's Commentary (Archived)

An archive of selected opinions and commentary about vulnerabilities, software assurance, and related topics by the CVE Team.


CVE Data Sources (Archived)

This archived page provides an archive list of the organizations from the information security community that provided us with vulnerability information that helped the CVE Team create new CVE Entries from 1999 through November 2013.


CVE Versions (Archived)

This archived page provides an archive of the old CVE versions, the last of which was issued in 2006. As new CVE Entries are now added to the CVE website on a daily basis and are immediately usable by the community, the most current version of CVE is on the CVE List page.

Page Last Updated or Reviewed: November 01, 2017