Summary

This Recommendation on the use of the common vulnerabilities and exposures (CVE) provides a structured means to exchange information security vulnerabilities and exposures that provides common names for publicly known problems in the commercial or open source software used in communications networks, end user devices, or any of the other types of information and communications technology (ICT) capable of running software. The goal of the Recommendation is to define use of CVE to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this common naming. This Recommendation defines the use of CVE to provide a mechanism for vulnerability databases and other capabilities to be used together, and to facilitate the comparison of security tools and services. CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. The repository of CVE identifiers is available at [cve.mitre.org/cve/cve.html].

The intention of CVE, the use of which is defined in this Recommendation, is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, the primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public, and then addressing any older security problems that require validation.