Documents and Guidance
Documents and guidance are available for the topics below. Please
contact us
to provide feedback about this page.
CVE List Documents and Guidance
About CVE Records
Provides an overview of CVE Records and links to various documents within three areas: CVE Records Defined, Creation of a CVE Record, and Requesting CVE Identifiers (CVE IDs).
Search Tips
Provides tips for searching or viewing CVE Records on the
CVE List
hosted on this CVE website.
CVE References
Each CVE Record includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE Record. CVE also includes a
Reference Maps
page with links to documents from the commonly used information sources that are used as references for CVE Records.
CVE Numbering Authorities (CNAs) Documents, Policies, and Guidance
CVE Numbering Authority (CNA) Rules,
Version 3.0
Includes detailed information for CNAs about Assignment Rules, including the CVE Program’s definition of “vulnerability” and the requirements for assigning a CVE ID; CVE Record (previously “CVE Entry”) requirements including entry information, prose description, reference(s), and formatting; appeals process; definitions of CVE ID states and CVE Record states; the process to correct assignment issues or update CVE Records; and disclosure and embargo policies; defining a CNA’s scope; as well as the four categories of CNAs (Sub-CNAs, Root CNAs, CNAs of Last Resort (CNA-LR), Program Root CNA, and Secretariat) and assignment, communication, and administration rules for each. Version 3.0 – March 5, 2020 (NOTE: updated annually or as needed)
EOL Policy
The CVE Program’s policy and procedure for end-of-life (EOL) products.
RBP CVE IDs Policy
The CVE Program’s policy and procedure for Reserved but Public (RBP) CVE IDs.
CVE Assignment Rules
The nature and accuracy of the counting process underpins the value of a CVE Record (previously “CVE Entry”). Correct assignment reduces the likelihood of duplicate CVE IDs being assigned to a single vulnerability. Also, some reports of vulnerabilities may confuse or conflate multiple, separate software problems, and the assignment process helps to differentiate between those vulnerabilities that are unique.
Researcher Reservation Guidelines
Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.
Key Details Phrasing
Key details phrasing guidance for writing CVE Record Descriptions (hosted on GitHub).
Process for CNAs to Correct Assignment Issues or Update CVE Records
There are many places where the CVE ID assignment process can break down. Since mistakes are inevitable, processes to correct them are necessary. This document describes different scenarios wherein the CVE ID assignment goes awry, and the corresponding resolution process.
New CNA Onboarding Documents, Slides, and Videos
NOTE: The slides and videos below should be reviewed by new CNAs in the order presented prior to their onboarding meeting with the CNA Coordination Team.
CVE Program Overview
English:
slides
|
video
Japanese:
slides
An introduction to the Common Vulnerabilities and Exposures (CVE
™
) Program, including what is CVE, goals of the program, who operates the program, and program organization.
Becoming a CNA slides
English:
slides
|
video
Japanese:
slides
An introduction to becoming a CVE Numbering Authority (CNA) with an overview of what defines a CNA, how the CVE Program is organized, how to organize your CNA program, how to define the scope of what you will cover, internal CNA processes, CNA resources, and ways to get involved in the CNA community.
CNA Processes
English:
slides
|
video
Japanese:
slides
Guidance for CNAs of how to get a block of CVE IDs, assign vulnerabilities to CVE IDs, submit CVE IDs, update CVE Records (previously “CVE Entries”) when necessary, escalate issues where there is a dispute, reject CVE IDs when needed, dispute a CVE ID, and the process for handling expiring CVE IDs.
Assigning CVE IDs
English:
slides
|
video
Japanese:
slides
Describes in detail how CNAs assign CVE IDs to vulnerabilities.
CVE Record (previously “CVE Entry”) Creation
English:
slides
|
video
Japanese:
slides
Once a CNA has assigned a CVE ID(s), performed coordination to fix the vulnerability, and published the vulnerability information, the next step is to populate the CVE Record (previously “CVE Entry”). This video details how CNAs create CVE Records.
CVE Record (previously “CVE Entry”) GitHub Submissions
English:
slides
Describes the process for CNAs to submit CVE Records using GitHub.
CVE Record Submission Process to the MITRE Top-Level Root Only
English:
slides
|
video
Japanese:
slides
Guidance for how to submit CVE Record (previously “CVE Entry”) to the MITRE Top-Level Root (TLR-Root).
NOTE: The documents below (hosted on GitHub) walk through how to set up a local environment to submit CVE Records (previously “CVE Entry”) in JSON format to CVE List via git. The Initial Tools document that walks through basic info and requirements should be read first, followed by one of the other three documents to finish setup based on your desired workflow.
Initial Tools: Overview and First Steps
Discusses the several steps in setting up the correct environment to submit CVE Record (previously “CVE Entry”) information through GitHub using a variety of tools.
Command Line Interface Setup
Describes how to submit new JSON files to the CVE GitHub repository using the git command line interface as opposed to a GUI-interface.
GitHub Desktop GUI Setup
Describes the GitHub submission process for submitting new CVE Record (previously “CVE Entry”) using GitHub Desktop, a free GUI-based software.
SourceTree GUI Setup
Describes the GitHub submission process for submitting new CVE Record (previously “CVE Entry”) using SourceTree, a free GUI-based software.
CVE Request Web Form Documents and Guidance
CVE Request Web Form FAQs
Includes questions and answers on web form basics, using the web form, and after submitting a web form request.
CVE Request Web Form Overview
This presentation provides an overview of how to use the CVE Request web form, which is used to request CVE IDs from the CVE Program Root CNA, request an update to an existing CVE Record (previously “CVE Entry”), provide notification about a vulnerability publication, or submit comments.
CVE Request Web Form Tip Sheet
A brief overview of information and tips for using each of the CVE Request web forms: Request a CVE ID; Request a block of IDs (for CNAs only); Notify CVE about a publication; Request an update to an existing CVE; and Other.
CVE Working Groups Documents
CVE Board Documents
CVE Board Charter
This document provides information about the CVE Board and how it functions, including Board structure, membership, working groups, and operations. A member nomination form is also included. Version 3.3 – August 20, 2020
Presentations & More
CVE Program Videos
Includes a CVE Program Overview video for all audiences, as well as several videos of detailed processes and procedures guidance for those organizations that have signed on to participate as official CVE Numbering Authorities (CNAs).
Archived Documents
Documents listed on this archive page are no longer current and are retained on the CVE website for historical purposes only.