Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize

US-CERT and NVD

  
The National Vulnerability Database (NVD) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is sponsored by the Department of Homeland Security's (DHS) National Cyber Security Division. US-CERT resources are found in the NVD, particularly vulnerability notes and technical alerts.

What is the NVD?

NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the Common Vulnerabilities and Exposures (CVE®) vulnerability naming standard.

NVD was created to provide technical capabilities and support for a variety of vulnerability standards. NVD's mission involves warning the public about vulnerabilities in computer systems. NVD helps DHS fulfill that mission by offering vulnerability information on all publicly known computer vulnerabilities. As far as technical capabilities, NVD provides this information using a search engine while integrating all publicly available U.S. government vulnerability resources. All of this information is given away for free with no licensing restrictions through XML and RSS feeds.

Statistics on the nature of vulnerabilities are provided through the NVD statistics engine. This service allows users to assess changes in vulnerability discovery rates within specific products or within specific types of vulnerabilities. The NVD statistics engine allows one to generate statistics on vulnerability trends over time. One can track particular products or vendors. Alternately, one can track sets of vulnerabilities with particular attributes (such as remotely exploitable buffer overflows). The statistics engine can also look at the past history of a product as an indicator to see whether or not it is likely to be vulnerable in the future.

NVD is

  • A comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources
  • A vulnerability database that integrates Open Vulnerability Assessment Language (OVAL) queries
  • Based on and synchronized with the CVE® vulnerability naming standard
  • Free to the public on the NVD Web site

The NVD List

In 2005, NIST created the NVD as a repository for vulnerability information. With information dating back to 1988, today, the NVD database has grown to include resources cataloguing over 15,000 vulnerabilities. Approximately 400 vulnerabilities are published to the NVD Web site each month based upon newly discovered issues.

NVD Products and Services

Products and services listed on the on the NVD Web site come from CVE, US-CERT, and OVAL. They are all "CVE-compatible," meaning that they uses CVE names to cross-link with other repositories that also use CVE names, facilitating the exchange of vulnerability information and making it easier to share data in a vendor-independent manner.

Types of products include vulnerability databases, security alerts, vulnerability notes, queries, and technical alerts. The database search engine allows users to search by a variety of characteristics, including vendor name, product name and version number, search start and end dates, and vulnerability type, vulnerability severity, and impact. Many organizations have multiple products and services listed.

Other Links to NVD Information

Advanced Search   |   FAQ   |   Statistical Queries   |   Download NVD   |   Scoring System