CVE in Use (Archived)

As the international industry standard for cybersecurity vulnerability identifiers, CVE Entries are included in numerous products and services and are the foundation of others.

NOTICE: This page has been archived and is no longer being maintained. While much of the information below remains valid, please use your preferred search engine to search for the most current examples of products, projects, etc., that incorporate CVE.

CVE Numbering Authorities (CNAs)

Community members such as OS and software vendors and projects, vulnerability researchers, national and industry CERTs, and bug bounty programs authorized to assign CVE IDs to new issues.

CVE Compatibility

Products and services can be made "CVE Compatible" by following the CVE Compatibility Guidelines. Numerous organizations from around the world already include CVE IDs in their capabilities, processes, products, services, etc.

Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)

CVE was adopted by the International Telecommunication Union's (ITU-T) Cybersecurity Rapporteur Group's as a part of its "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing the X.CVE recommendation above that is based upon CVE's current Compatibility Requirements document, and any future changes to those will be reflected in subsequent updates to X.CVE

Common Vulnerability Scoring System (CVSS)

The severity of CVE IDs are rated by Forum of Incident Response and Security Teams' (FIRST) CVSS. NVD provides a CVSS calculator for CVE IDs.

Common Weakness Enumeration (CWE™)

A formal dictionary of software weaknesses types, CWE is based in part on the CVE List.

Open Vulnerability and Assessment Language (OVAL)

A standard for determining vulnerability and configuration issues on computer systems, CVE IDs are the primary references for "OVAL Vulnerability Definitions," which test systems for the presence of CVEs.

U.S. National Vulnerability Database (NVD)

Launched by the National Institute of Standards and Technology (NIST) in 2005, NVD provides a vulnerability database of enhanced CVE content that is fully synchronized with the CVE List, so any updates to CVE appear immediately in NVD.

NVD also provides advanced searching, a CVSS calculator for CVE IDs, and fix information for CVE IDs.

US-CERT Bulletins

Uses CVE IDs to uniquely identify the vulnerabilities they report.

DISA Information Assurance Vulnerability Alerts

CVE Entries are mapped to the U.S. Defense Information System Agency's (DISA) Information Assurance Vulnerability Alerts (IAVAs). DoD PKI Certificates are required to access the information. For details, contact DISA.

Security Content Automation Protocol (SCAP)

CVE is one of the existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.

U.S. Government Agencies

National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" in 2002 & "800-40: Procedures for Handling Security Patches,&" which was initially released in 2002 and updated 2011.

DoD Contracts

U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE IDs.

Page Last Updated or Reviewed: May 09, 2018