 | |
As the international industry standard for cybersecurity vulnerability and exposure names, CVE Identifiers are included in numerous products and services and are the foundation of others.
CVE COMPATIBILITYProducts and services can be made "CVE Compatible" by following the Requirements and Recommendations for CVE Compatibility. Numerous organizations from around the world already include CVE IDs in their capabilities, processes, products, services, etc. Examples of enterprise security areas enhanced by CVE Compatibility include the following: Sponsor: UUS-CERT | U.S. National Vulnerability Database (NVD)Launched by the National Institute of Standards and Technology (NIST) in 2005, NVD provides a vulnerability database of enhanced CVE content that is fully synchronized with the CVE List, so any updates to CVE appear immediately in NVD. NVD provides the following enhanced CVE content: Sponsor: US-CERT |
COMMUNITY CVE Numbering Authorities (CNAs)Community members such as OS and software vendors, third-party coordinators, and researchers authorized to assign CVE IDs to new issues. Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE)CVE was adopted by the International Telecommunication Union's (ITU-T) Cybersecurity Rapporteur Group's as a part of its "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing the X.CVE recommendation above that is based upon CVE's current Compatibility Requirements document, and any future changes to those will be reflected in subsequent updates to X.CVE Common Vulnerability Scoring System (CVSS)The severity of CVE IDs are rated by Forum of Incident Response and Security Teams' (FIRST) CVSS. NVD provides a CVSS calculator for CVE IDs. Common Weakness Enumeration (CWE™)A formal dictionary of software weaknesses types, CWE is based in part on the CVE List. Open Vulnerability and Assessment Language (OVAL)A standard for determining vulnerability and configuration issues on computer systems, CVE IDs are the primary references for "OVAL Vulnerability Definitions," which test systems for the presence of CVEs. | GOVERNMENT US-CERT BulletinsUses CVE IDs to uniquely identify the vulnerabilities they report. DISA Information Assurance Vulnerability AlertsCVE IDs are mapped to the U.S. Defense Information System Agency's (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA's public Security Technical Implementation Guides (STIG) website. Security Content Automation Protocol (SCAP)CVE is one of the existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation. U.S. Government AgenciesNational Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" in 2002 & "800-40: Procedures for Handling Security Patches,&" which was initially released in 2002 and updated 2011. DoD ContractsU.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE IDs. |
