CVE provides a common, standardized identification system that allows cybersecurity tools to interoperate. It also facilitates the sharing of vulnerability information and assists with prioritizing and addressing vulnerabilities.
Vulnerabilities are reported to CVE through authorized CNAs and then assigned CVE Identifiers. CVE entries often include CVSS scores, which provide a standardized way of assessing the severity of a vulnerability.
CVE Identifiers
CVE identifiers are standardized ways of referring to information security vulnerabilities in software and hardware systems. They help vendors, researchers, organizations, and end-users communicate about vulnerabilities and develop mitigation strategies.
A CVE entry has a unique alphanumeric number, a brief vulnerability description, and one or more public references. Authorized data publishers can also enrich CVE records with additional details, such as risk scores or manufactured product lists.
The CVE board comprises cybersecurity organizations that contribute to the development of the program. The board provides critical input on data sources, product coverage, operating structure, and strategic direction.
To be assigned a CVE, a vulnerability must meet the following criteria:
CVE Numbering Authorities
The CVE program works with many organizations — called CVE Numbering Authorities (CNAs) — that assign and publish CVE identifiers. These identifiers allow information technology and cybersecurity professionals to consistently describe a vulnerability, prioritize its impact, and focus their efforts.
The program uses a federation model with root CNAs responsible for a specific niche or area and sub-CNAs that can assign and publish vulnerabilities in their scope. There are over 100 CNAs worldwide, including large product vendors, security researchers, and researchers at universities and research labs; commercial and open source software projects; industry and national CERTS; and bug bounty programs.
CVE Numbering Format
When a new vulnerability is discovered, researchers typically share it with one central organization that manages CVEs. MITRE researchers then validate the flaw and create a CVE identifier, which companies can request for inclusion in their software. The identifier includes a short description and references to related advisories and reports.
CVEs also form the basis of the Common Vulnerability Scoring System (CVSS), which organizations and services worldwide use to prioritize vulnerabilities and improve vulnerability management programs.
Currently, 104 commercial entities are CVE Numbering Authorities (CNAs), including large software vendors like Microsoft, Apple, Adobe, HPE, Google, and Linux, as well as security tools providers. When CNAs report a vulnerability, a board of experts votes whether or not it should be considered for a CVE identifier and given an entry status (“entry”).
CVE Numbering Rules
The CVE System provides a consistent, standardized way to reference vulnerabilities that help vendors, customers, end-users, researchers, and other security professionals keep track of, communicate and mitigate these flaws. The system also helps these groups work together to prioritize, identify, and fix them.
When a vulnerability is discovered, the researcher or security team reports it to a CVE Numbering Authority—also known as a CNA. CNAs are authorized by the CVE Program to assign CVE IDs to vulnerabilities that fall within their scopes (i.e., the vulnerabilities they monitor and publish to the public CVE List).
These CNAs receive submissions from various sources, including other CVE Program participants, open-source projects, coordination centers, bug bounty services, and hosted service providers. CVE IDs are assigned according to the following guidelines: