CVE Data Sources

A number of organizations in the information security community provide CVE with vulnerability information that helps MITRE create new CVE candidates (i.e., CVE names with "candidate" status). This information is provided to MITRE in the form of "submissions," which are derived from the submitting data source's vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc. (See the CVE Naming Process section for detailed information about this process.)

With multiple submissions from different organizations, MITRE has a richer set of information to use when creating candidates. This improves the quality of those candidates, which in turn makes CVE more useful to all parties. For example, the resulting candidates may provide additional references for people to include in their own databases. Also, since CVE does not rely on any one source, it has a better chance of identifying all publicly known security problems, which then provides a more comprehensive set of vulnerabilities and exposures for everyone. (Note that all data sources make decisions about which vulnerabilities or exposures they will include in their own database. They may exclude a security problem from their own database because it is not sufficiently proven to exist, there is incomplete information, the problem is not important to the data source's customers, etc.)

A CVE data source receives a "backmap," which links its own database items to the resulting candidate names. This helps reduce the amount of labor that the data source has to perform when mapping their database to CVE names.

Data Sources

Individuals from the organizations noted below have provided MITRE with vulnerability information (e.g., vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.).

Data Sources for New Security Problems

The organizations noted below publish regular summaries of new vulnerabilities and exposures, on a weekly to monthly basis. MITRE has been given permission to use their summaries to help keep CVE current and comprehensive with respect to the newest security problems.

Security Focus - SecurityFocus.com weekly Newsletters
http://www.securityfocus.com/vdb

Network Computing and the SANS Institute - weekly Security Alert Consensus
http://archives.neohapsis.com/archives/securityexpress/current/

ISS - monthly Security Alert Summary
http://xforce.iss.net/alerts/summaries.php

NIPC CyberNotes - biweekly issues
http://www.nipc.gov/cybernotes.htm

Data Sources for Legacy Security Problems, Summer 2000

CVE was created in 1999. A large number of vulnerabilities and exposures were discovered and publicized before then. These are referred to as "legacy problems." While CVE currently includes the most serious and well-known legacy problems, there is a backlog of other legacy problems that still need to be assigned a CVE name.

During summer 2000, the following organizations provided MITRE with stripped copies of their entire vulnerability databases. These databases are helping MITRE to create more legacy candidates, which in turn will make CVE more comprehensive with respect to "legacy" vulnerabilities and exposures.

Symantec

AXENT

The Nessus Project

PGP Security

BindView

Cisco

Security Focus

Neohapsis

ISS

Harris

Data Sources for Legacy Security Problems, Winter 1999

In November and December of 1999, MITRE requested organizations to provide a "top 100 list" of vulnerabilities and exposures that they wanted to see in CVE. Over 800 submissions were provided. Those submissions helped expand CVE to more than 500 entries (Version 20000118).

The following organizations provided MITRE with their top 100 lists:

CERIAS

ISS

Harris

BindView

Hiverworld

Cisco

L-3 Security (later acquired by Symantec )

AXENT

Data Sources for the Draft CVE, Spring-Summer 1999

Before CVE was publicly released in September 1999, a "draft CVE" was created and submitted to the Editorial Board for feedback. ISS , L-3 Security (acquired by Symantec ), SANS , and Netect (later acquired by BindView ) provided information that was used to help create the draft CVE. Data was also drawn from other sources including Bugtraq and NTBugtraq posts, CERT advisories, and security tools such as NAI 's CyberCop Scanner, Cisco 's NetSonar, and AXENT 's NetRecon.

Conclusion