[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Changes to the CVE version number scheme


I have modified the way the CVE version number is represented.

For the three people who ever noticed ;-) the CVE version number used
to be encoded as a date and time:


where YYYY was the year, MM the month, DD the day, HH the hour, and mm
the minute (yes Russ, *all* of those figures are in GMT ;-)

The hours and minutes are being removed from the version number,
i.e. it will look like:


So, while the draft CVE was version number 199904290013 (April 29,
1999 at 12:13 AM GMT), the first version to be publicly released will
most likely be 19990929 (sometime around 7 PM GMT on September 29,

The reason for the change is two-fold.  First of all, a YYYYMMDD
format will be easier for humans to remember and parse.  Secondly, it
is consistent with the way that dates are used in other places within
CVE (e.g. interim decision dates as recorded in various candidates.)

The version number will become important when mappings to CVE come
into play.  It would be helpful for the beneficiaries of those
mappings to know (a) how old the CVE data is, and (b) whether it can
be used in conjunction with other mappings with some guarantee that
they are dealing with the same underlying "baseline" CVE version.  For
example, suppose you're comparing a tool T to a database D.  If T was
mapped to a 1-day old version of CVE, but D was mapped to a 6-month
old version, it would tell you not to count on accuracy as much as you
would if both T and D were based on the same 1-week old version.

- Steve

Page Last Updated or Reviewed: May 22, 2007