- Common Vulnerabilities and Exposures
-
The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol.
CVE Identifiers
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly-known information security vulnerabilities. CVE identifiers have a status of either "entry" or "candidate". Entry status indicates acceptance of a CVE Identifier into the CVE List, while a status of "candidate" (for "candidates," "candidate numbers," or "CANs") indicates an identifier under review for inclusion in the list.[2]
The same source describes the process of creating a CVE Identifier which:
- begins with the discovery of a potential security vulnerability or exposure
- adds to this information a (unique) CVE candidate number assigned by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and proposed to the Board by the CVE Editor
The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.[3]
References
- ^ "CVE - Common Vulnerabilities and Exposures". MITRE Corporation. 3 July 2007. http://cve.mitre.org/. Retrieved 2009-06-18. "CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."
- ^ "About CVE Identifiers". MITRE. 2007-07-17. http://cve.mitre.org/cve/identifiers/index.html. Retrieved 2009-06-18. "CVE Identifiers (also called 'CVE names,' 'CVE numbers,' 'CVE-IDs,' and 'CVEs') are unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have 'entry' or 'candidate' status. Entry status indicates that the CVE Identifier has been accepted to the CVE List while candidate status (also called 'candidates,' 'candidate numbers,' or 'CANs') indicates that the identifier is under review for inclusion in the list."
- ^ Fogel, Karl (2006). Producing Open Source Software. Sebastopol, CA: O'Reilly. pp. 158, 159. ISBN 0-596-00759-0. http://producingoss.com/en/publicity.html#security-cve.
External links
- CVE - Common Vulnerabilities and Exposures
- MITRE Corporation
- CERT - a security expert coordination effort by the Software Engineering Institute of Carnegie Mellon University
- SecurityFocus - home of the BugTraq mailing list
- www.cvedetails.com - Detailed, easy to use CVE database
- NVD - National Vulnerability Database
Categories:- Computer security
- Computer security exploits
- Mitre Corporation
Wikimedia Foundation. 2010.
