The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol.
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have a status of either "entry" or "candidate". Entry status indicates acceptance of a CVE Identifier into the CVE List, while a status of "candidate" (for "candidates," "candidate numbers," or "CANs") indicates an identifier under review for inclusion in the list.[2]
The same source describes the process of creating a CVE Identifier which:
The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.[3]