Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize

US-CERT and CVE

  

Common Vulnerabilities and Exposures (CVE®) is sponsored by National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. US-CERT incorporates CVE names into its security advisories whenever possible and advocates the use of CVE and CVE-compatible products and services to the U.S. government and all members of the information security community.

What is the CVE?

CVE is a list or dictionary of publicly known information security vulnerabilities and exposures international in scope and free for public use. Each vulnerability or exposure included on the CVE List has one common, standardized CVE name.

CVE's common names facilitate the exchange of vulnerability information across security advisories, tools, databases, and services that did not exist prior to the creation of CVE. CVE names are determined by the CVE Editorial Board, composed of experts from across the information security community. Through open and collaborative discussions, Board members decide which vulnerabilities or exposures will be included in CVE, and then determine the common name, description, and references for each official entry.

CVE is:

  • One standardized name for each vulnerability or exposure
  • The way to interoperability and better security coverage
  • A basis for evaluation among tools and databases
  • Industry-endorsed via the CVE Editorial Board and CVE-compatible products and services
  • Free to the public on the CVE Web site

The CVE List

In 1999, MITRE created CVE to act as a bridge between different information security tools and services. Today, the CVE List has grown to nearly 7,000 unique identifiers available on MITRE's CVE site. Approximately 100 new candidate names are added to the CVE Web site each month based upon newly discovered issues.

CVE-Compatible Products and Services

"CVE-compatible" means that an information security product or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names, facilitating the exchange of vulnerability information and making it easier to share data in a vendor-independent manner.

Types of products include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls. Many organizations have multiple products and services listed.

Other Links to CVE Information

About   |   FAQ   |   Editorial Board   |   Compatible Products and Services   |   CVE List