A number of organizations in the information security community provide CVE with vulnerability information that helps MITRE create new CVE candidates (i.e., CVE names with "candidate" status). This information is provided to MITRE in the form of "submissions," which are derived from the submitting data source's vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc. (See the CVE Naming Process section for detailed information about this process.)
With multiple submissions from different organizations, MITRE has a richer set of information to use when creating candidates. This improves the quality of those candidates, which in turn makes CVE more useful to all parties. For example, the resulting candidates may provide additional references for people to include in their own databases. Also, since CVE does not rely on any one source, it has a better chance of identifying all publicly known security problems, which then provides a more comprehensive set of vulnerabilities and exposures for everyone. (Note that all data sources make decisions about which vulnerabilities or exposures they will include in their own database. They may exclude a security problem from their own database because it is not sufficiently proven to exist, there is incomplete information, the problem is not important to the data source's customers, etc.)
A CVE data source receives a "backmap," which links its own database items to the resulting candidate names. This helps reduce the amount of labor that the data source has to perform when mapping their database to CVE names.
Individuals from the organizations noted below have provided MITRE with vulnerability information (e.g., vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.).
The organizations noted below publish regular summaries of new vulnerabilities and exposures, on a weekly to monthly basis. MITRE has been given permission to use their summaries to help keep CVE current and comprehensive with respect to the newest security problems.
Security Focus - SecurityFocus.com weekly Newsletters
http://www.securityfocus.com/vdb
Network Computing and the SANS Institute - weekly Security
Alert Consensus
http://archives.neohapsis.com/archives/securityexpress/current/
ISS - monthly Security Alert Summary
http://xforce.iss.net/alerts/summaries.php
NIPC CyberNotes - biweekly issues
http://www.nipc.gov/cybernotes.htm
CVE was created in 1999. A large number of vulnerabilities and exposures were discovered and publicized before then. These are referred to as "legacy problems." While CVE currently includes the most serious and well-known legacy problems, there is a backlog of other legacy problems that still need to be assigned a CVE name.
During summer 2000, the following organizations provided MITRE with stripped copies of their entire vulnerability databases. These databases are helping MITRE to create more legacy candidates, which in turn will make CVE more comprehensive with respect to "legacy" vulnerabilities and exposures.
In November and December of 1999, MITRE requested organizations to provide a "top 100 list" of vulnerabilities and exposures that they wanted to see in CVE. Over 800 submissions were provided. Those submissions helped expand CVE to more than 500 entries (Version 20000118).
The following organizations provided MITRE with their top 100 lists:
L-3 Security (later acquired by Symantec )
Before CVE was publicly released in September 1999, a "draft CVE" was created and submitted to the Editorial Board for feedback. ISS , L-3 Security (acquired by Symantec ), SANS , and Netect (later acquired by BindView ) provided information that was used to help create the draft CVE. Data was also drawn from other sources including Bugtraq and NTBugtraq posts, CERT advisories, and security tools such as NAI 's CyberCop Scanner, Cisco 's NetSonar, and AXENT 's NetRecon.
Get CVE |
|
CVE Version Number: 20061101
Total Unique Entries: 3050 Total Candidates: 18966 |
| Editor's Commentary |
|---|
| CVE LIST |
| Reference Key |
| A description of CVE references |
| Reference Maps |
| Link references to the CVE names |
| Versions |
| Data Sources |
| Content Decisions |
| Candidate Numbering Authorities |
| About CVE Names |
| Obtain a CVE Name |
| USING THE LIST |
| Search Tips |
| How to Read a CVE Name |
| FAQs |
| Common Configuration Enumeration |
| CCE List |
| Common Weakness Enumeration |
| CWE List |
| CVE Expanded |
| Free external services and capabilities that build upon CVE |
| CVE Change Logs |
| OVAL |
| National Vulnerability Database |
