|
Introduction
As more vendors, researchers, and coordinators use CVE identifiers in initial public vulnerability announcements, the risk of multiple assignments of the same CVE identifier increases. While all involved parties should coordinate on the CVE name for an issue, errors still occasionally occur, especially if one party does not normally use CVE. For that reason, when duplicate identifiers are made public, the
Primary
Candidate Numbering Authority
(i.e., MITRE Corporation) must be consulted
to choose the proper candidate to use.
Criteria for Selecting the Preferred Identifier
MITRE uses the following criteria to select which identifier will be associated with the issue:
-
PREFER THE MOST COMMONLY REFERENCED IDENTIFIER. This is roughly gauged by searching for all affected identifiers on a search engine and comparing results.
-
If the usage numbers of identifiers are about the same, then CHOOSE THE IDENTIFIER USED BY THE MOST AUTHORITATIVE SOURCE. The "most authoritative source" is roughly prioritized as: vendor, coordinator, researcher.
-
If the identifiers have the same level of authority, then CHOOSE THE IDENTIFIER THAT HAS BEEN PUBLIC FOR THE LONGEST PERIOD OF TIME.
-
If the identifiers have been public for the same amount of time, then CHOOSE THE IDENTIFIER WITH THE SMALLEST NUMERIC PORTION.
NOTE:
The criteria are roughly prioritized, but are still evolving.
Annotating Duplicate Identifiers
Once the preferred identifier has been selected by MITRE, MITRE will modify the descriptions of all other identifiers and reference the preferred identifier.
Additional Information
For more information see
CVE Content
Decisions Overview
,
CVE
Abstraction Content Decisions: Rationale and Application
, the
CVE
Naming Process
.
Back to top
Page last updated:
Wednesday, 27-Jul-2005 16:13:47 EDT
|
