CVE Home

Get CVE
About CVE
Introduction to CVE
Terminology
The CVE Naming Process
CVE Content Decisions
CVE Documents
FAQs
CVE Home
About CVE
News and Events
Compatible Products
Editorial Board
Advisory Council
Press View
Free Newsletters
contact us
Alphabetical Index

Introduction

What Is CVE?

Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that until now were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names , you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

CVE is:

  • One name for one vulnerability or exposure
  • One standardized description for each vulnerability or exposure
  • A dictionary rather than a database
  • How disparate databases and tools can "speak" the same language
  • The way to interoperability and better security coverage
  • A basis for evaluation among tools and databases
  • Accessible for review or download from the Internet
  • Industry-endorsed via the CVE Editorial Board

Back to top

Why CVE?

Most information security tools include a database of security vulnerabilities and exposures; however, there is significant variation among them and no easy way to determine when different databases are referring to the same problem. The consequences are potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor currently uses different metrics to state the number of vulnerabilities or exposures they detect, which means there is no standardized basis for evaluation among the tools.

With a standard list of vulnerabilities and exposures such as CVE, your databases and tools can "speak" to each other. And, you’ll know exactly what each tool covers because CVE provides you with a baseline for evaluating the coverage of your tools. This means you can determine which tools are most effective and appropriate for your organization’s needs. In short, CVE-compatible tools and databases will give you better coverage, easier interoperability, and enhanced security.

CVE is also endorsed by leading representatives from the information security community. CVE’s content results from the collaborative efforts of the CVE Editorial Board, which includes representatives from numerous information security-related organizations.

Back to top

Who Is the CVE Editorial Board?

The CVE Editorial Board includes members from numerous information security-related organizations including commercial security tool vendors, members of academia, research institutions, government agencies, and other prominent security experts. Through open and collaborative discussions, the Board identifies which vulnerabilities or exposures are included in CVE, then determines the common name and description for each entry.

The MITRE Corporation created the Editorial Board, moderates Board discussions , and provides guidance throughout the process to ensure that CVE serves the public interest. Archives of Board meetings and discussions are available for review on the CVE Web site. Other information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members.

Back to top

What It Means to Be CVE-Compatible

" CVE-Compatible " means that a tool, Web site, database, or other security product or service uses CVE names in a manner that allows it to be cross-referenced with other products that employ CVE names.

"CVE compatible" means:

  • CVE SEARCHABLE – A user can search using a CVE name to find related information.
  • CVE OUTPUT – Information is presented that includes the related CVE name(s).
  • MAPPING – The repository owner has provided a mapping relative to a specific version of CVE, and has made a good faith effort to ensure accuracy of that mapping.
  • DOCUMENTATION – The organization's standard documentation includes a description of CVE, CVE compatibility, and the details of how its customers can use the CVE-related functionality of its product or service.

Different tools provide different coverage/cross-referencing of CVE names (e.g., some tools might cover UNIX, while others cover Windows NT). You will need to evaluate any CVE-compatible products and services based upon your organization's specific requirements. Visit the CVE-Compatible Products and Services page for the most current information regarding the types and availability of CVE-compatible products and services.

How to List a Product/Service as CVE-Compatible

We encourage organizations to make their products and services CVE-compatible. Any organization with a security product or service that uses CVE names in a way that allows it to cross-link with other products or services that use CVE names may request to register as CVE-compatible .

To do so the organization will need to fulfill the conditions listed in the " CVE Compatibility Process ," which includes two phases: (1) the Declaration Phase in which the organization declares its intent to make its product(s) and/or service(s) CVE-compatible; and (2) the Evaluation Phase , which requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the " Requirements and Recommendations for CVE Compatibility " document. An organization must complete phase 1 before being eligible for phase 2. Organizations that successfully complete the second phase will be included in a branding program that offers an official CVE-Compatible Product/Service logo to indicate compatibility, among other benefits.

To begin the registration process, review the official CVE Compatibility Process then send an email to cve@mitre.org with your company name and contact information, the type of product, and the name of the product or service.

Back to top

The CVE Naming Process

The process begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Name with "candidate" status (also called a candidate, candidate number, or CAN). The CVE Editorial Board discusses the candidate and votes on whether or not it should become a CVE Name with "entry" status (also called an official CVE entry, "CVE number," "CVE-ID," or "CVE"). If the candidate is accepted, it is entered into CVE and is published on the CVE Web site. Candidates can be searched on the site, but the CVE and candidates lists are separate.

See the CVE Naming Process for additional information.

Back to top

How To Speak CVE

Network Security Administrators/Policy and Decision Makers: Adopt CVE-compatible products/services or encourage your vendors to be CVE-compatible to support your enterprise requirements.

Security Vendors/Vulnerability Database Managers/Service Providers: Deliver CVE-compatible tools, databases, or services to your customers for better coverage, easier interoperability, and enhanced security across the enterprise.

Software Vendors: Incorporate the use and reservation of CVE names into your vulnerability handling process so that your customers can work with concise information and leverage the power of vulnerability scanners to verify that updates and fixes have been applied.

Back to top

CVE and MITRE

The MITRE Corporation created the CVE Editorial Board , manages and maintains the CVE List and candidates with assistance from the Board, conducts community outreach activities, maintains the CVE Web site, manages the CVE compatibility program, and provides neutral guidance throughout the process to ensure that CVE serves the public interest. In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this effort.

Back to top

CVE Sponsor

CVE is sponsored by U.S. Department of Homeland Security . A list of past sponsors is available on the Sponsors page.

Back to top

Senior Advisory Council

The Senior Advisory Council was established to ensure that the CVE Initiative, later expanded to include MITRE's Open Vulnerability and Assessment Language (OVAL) effort, receive the sponsorship—including funding and guidance—required to maximize their effectiveness in supporting government efforts to improve the nation’s ability to identify and respond to vulnerabilities and information assurance attacks or issues. See the members page and council charter for more detailed information.

Back to top

View " Introduction to CVE, The Key to Information Sharing " brochure PDF

For more information, please email cve@mitre.org

Page last updated: Thursday, 02-Mar-2006 13:33:32 EST