[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Will Reject a Group of Unused CVE IDs



To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.




-Dan, for the CVE Team


Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774




Page Last Updated or Reviewed: May 16, 2017