Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol.

CVE Identifiers

MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have a status of either "entry" or "candidate". Entry status indicates acceptance of a CVE Identifier into the CVE List, while a status of "candidate" (for "candidates," "candidate numbers," or "CANs") indicates an identifier under review for inclusion in the list.[2]

The same source describes the process of creating a CVE Identifier which:

The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.

When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.[3]

References

  1. ^ "CVE - Common Vulnerabilities and Exposures". MITRE Corporation. 3 July 2007. http://cve.mitre.org/. Retrieved 2009-06-18. "CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security." 
  2. ^ "About CVE Identifiers". MITRE. 2007-07-17. http://cve.mitre.org/cve/identifiers/index.html. Retrieved 2009-06-18. "CVE Identifiers (also called 'CVE names,' 'CVE numbers,' 'CVE-IDs,' and 'CVEs') are unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have 'entry' or 'candidate' status. Entry status indicates that the CVE Identifier has been accepted to the CVE List while candidate status (also called 'candidates,' 'candidate numbers,' or 'CANs') indicates that the identifier is under review for inclusion in the list." 
  3. ^ Fogel, Karl (2006). Producing Open Source Software. Sebastopol, CA: O'Reilly. pp. 158, 159. ISBN 0-596-00759-0. http://producingoss.com/en/publicity.html#security-cve. 

External links