National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security sponsors CVE. US-CERT incorporates CVE names into its security advisories whenever possible and advocates the use of CVE and CVE-compatible products and services to the U.S. government and all members of the information security community.
Common Vulnerabilities and Exposures (CVE®) is a list or dictionary of publicly known information security vulnerabilities and exposures international in scope and free for public use. Each vulnerability or exposure included on the CVE List has one common, standardized CVE name.
CVE's common names facilitate the exchange of vulnerability information across security advisories, tools, databases, and services that did not exist prior to the creation of CVE. CVE names are determined by the CVE Editorial Board, composed of experts from across the information security community. Through open and collaborative discussions, Board members decide which vulnerabilities or exposures will be included in CVE, and then determine the common name, description, and references for each official entry.
- One standardized name for each vulnerability or exposure
- The way to interoperability and better security coverage
- A basis for evaluation among tools and databases
- Industry-endorsed via the CVE Editorial Board and CVE-compatible products and services
- Free to the public on the CVE Web site
In 1999, MITRE created CVE to act as a bridge between different information security tools and services. Today, the CVE List has grown to nearly 7,000 unique identifiers available on MITRE's CVE site. Approximately 100 new candidate names are added to the CVE Web site each month based upon newly discovered issues.
Numerous organizations from around the world have listed their products and services as CVE-compatible on the CVE Web site. "CVE-compatible" means that an information security product or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names, facilitating the exchange of vulnerability information and making it easier to share data in a vendor-independent manner.
Types of products include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls. Many organizations have multiple products and services listed.