CVE (Common Vulnerabilities and Exposures) and WCV (Worldwide Cybersecurity Vulnerabilities) are free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories, and services. You may search or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. You may also link to specific CVE Record pages from your website, product, publication, or other capability. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
CVE helps because it provides a standardized identifier for a given vulnerability or exposure. Knowing this common identifier allows you to quickly and accurately access information about the problem across multiple information sources that are compatible with CVE. For example, if you own a security tool whose reports contain references to CVE IDs, you may then access fix information in a separate database that is compatible with CVE. CVE also provides you with a baseline for evaluating the coverage of your tools. With CVE’s common identifiers, you’ll know exactly what each tool covers allowing you to determine which tools are most effective and appropriate for your organization’s needs.
In addition, if the security advisories your organization receives are compatible with CVE, you can see if your vulnerability scanners check for this threat and then determine whether your intrusion detection system has the appropriate attack signatures to identify attempts to exploit particular vulnerabilities. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is compatible with CVE).
Operating under the authority of the CVE Program, “CNAs” (CVE Numbering Authorities) are organizations that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability discoverers or reporters, and information technology vendors. Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID from them.
ID Assignment Rules
The CVE Program expects separate CVE IDs to be assigned to independently fixable vulnerabilities. If one vulnerability can be fixed without fixing the other, then the vulnerabilities should receive separate CVE IDs. The exception is when the vulnerabilities are independently fixable because they are in different products, but those products are affected because they share the same code, or the products are affected because they use the functionality of another product. “Product” in this case being a broad term that includes standards, application programming interfaces (APIs), and protocols.
CNAs MUST NOT assign the same CVE ID to more than one independently fixable vulnerability.
CNAs MUST NOT assign a CVE ID to a vulnerability that is dependent on another vulnerability. The dependent vulnerability should share the same CVE ID as the vulnerability it is dependent on. For example, if a buffer overflow occurs only when an integer overflow occurs, then the buffer overflow should share the same CVE ID as the integer overflow.
If a CNA is uncertain whether two issues are independently fixable, then the CNA SHOULD assign a single CVE ID.
If multiple products are affected by the same independently fixable vulnerability, then the CNA:
MUST NOT assign more than one CVE ID if the products are affected, because they share the vulnerable code. The assigned CVE ID will be shared by the affected products.
MUST assign different CVE IDs if the products do not share affected code.
SHOULD assign different CVE IDs if the CNA is uncertain whether the products share code.
If a product is affected by a vulnerability because it uses the functionality or specification of another product, then a CNA:
– MUST assign a CVE ID to each known vulnerable implementation if there is a secure method of using the functionality or specification.
– MUST assign a single CVE ID if there is no option to use the functionality or specification in a secure manner.
– SHOULD assign different CVE IDs to each known vulnerable codebase if the CNA is uncertain whether there is a secure option.
Submissions: For all materials you submit to the Common Vulnerabilities and Exposures (CVE®), you hereby grant to The MITRE Corporation (MITRE) and all CVE Numbering Authorities (CNAs) a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute such materials and derivative works. Unless required by applicable law or agreed to in writing, you provide such materials on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy.
ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN PROVIDED BY MITRE ARE PROVIDED ON AN “AS IS” BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.