Common Vulnerabilities and Exposures

From Wikipedia, the free encyclopedia

Common Vulnerabilities and Exposures, or CVE, is a dictionary of publicly-known information security vulnerabilities and exposures. This dictionary is maintained by MITRE Corporation, and is funded by the National Cyber Security Division of the United States Department of Homeland Security.^[1]

[edit] CVE Identifiers

As per [1], CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers and be either in "entry" or "candidate" status. Entry status indicates that the CVE Identifier has been accepted to the CVE List while candidate status (also called "candidates," "candidate numbers," or "CANs") indicates that the identifier is under review for inclusion in the list.

The same source describes the process of creating a CVE Identifier which

• begins with the discovery of a potential security vulnerability or exposure
• to this information is then assigned a (unique) CVE candidate number by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and proposed to the Board by the CVE Editor

The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (created by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the candidate is rejected, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the candidate is accepted, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.

It is best to acquire a CAN number early in its investigation. An entry is live once a number is assigned, however until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate the number is taken. The benefit to early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.^[2]

[edit] References

1. ^ CVE - Common Vulnerabilities and Exposures. MITRE Corporation (3 July 2007). Retrieved on 2007-07-06.
2. ^ Fogel, Karl (2006). Producing Open Source Software. Sebastopol, CA: O'Reilly, 158, 159. ISBN 0-596-00759-0. 

[edit] External links

• CVE - Common Vulnerabilities and Exposures
• MITRE Corporation
• CERT - a security expert coordination effort by the Software Engineering Institute of Carnegie Mellon University
• SecurityFocus - home of the BugTraq mailing list