The new, rapid-response federated ID scheme has been carefully designed so that it does not disrupt existing processes and their attendant use cases, and allows for future compatibility with existing CVE identifiers. Federated CVE Identifiers will allow for rapid experimentation with new types of assignments and use cases so that CVE, the CVE Editorial Board, and the community can work together to determine what best serves the needs of the community.
The federated ID syntax will be CVE-CCCIII-YYYY-NNNN…N, where “CCC” encodes the issuing authority’s
country and “III” encodes the issuing authority. At its launch, MITRE will be the only issuing authority, but we expect to quickly add others to address the needs of the research and discloser communities, as well as the cybersecurity community as a whole. This new federated ID system will significantly enhance the early stage vulnerability mitigation coordination, and reduce the time lapse between request and issuance.
MITRE is continuing to refine CVE operational capabilities so that automated vulnerability identification, description, and processing are incorporated over time. As both the Federated Pilot and the next phase of CVE operational capabilities are scaled and automated, traditional CVEs can be merged with federated CVEs.
The CVE Team looks forward to working with members of the CVE Editorial Board and the broader community to rapidly expand CVE coverage and implement the federated CVE identification scheme, so that the CVE capability keeps pace with the increasing demand for well-recognized vulnerability identifiers.