CVE Home

Get CVE
About CVE
Introduction to CVE
Terminology
The CVE Naming Process
CVE Content Decisions
CVE Documents
FAQs
CVE Home
About CVE
News and Events
Compatible Products
Editorial Board
Advisory Council
Press View
Free Newsletters
contact us
Alphabetical Index

CVE Content Decisions

CVE Content Decisions, or CDs, are the guidelines the CVE Content Team uses to ensure that CVE names are created in a consistent fashion, independent of who is doing the creation.

The documents below explain CDs and the CD process in more detail:

CVE Content Decisions Overview

Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included.

CVE Abstraction Content Decisions: Rationale and Application

This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE's major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action.

Handling Duplicate Public CVE Identifiers

When duplicate CVE identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE's Primary Candidate Numbering Authority must be consulted to choose the proper candidate to use. This document details the criteria MITRE uses for selecting the preferred identifier.

Candidate Numbering Authorities

Includes an introduction to the candidate reservation process, defines Candidate Numbering Authorities (CNAs), provides the requirements for being a CNA, describes CNA tasks, explains the communication requirements from the CNA to MITRE, defines the role of vendor liaisons, and explains the researcher's responsibilities in the process. Also included is a list of the several organizations currently participating as CNAs.

Additional Information

CVE Naming Process

Back to top

Page last updated: Tuesday, 16-Aug-2005 16:52:08 EDT