Colleagues, The following article has been posted on the CVE Blog on Medium. Links for liking and sharing are below the article. New CVE Record Format Enables Additional Data Fields at Time of Disclosure When the CVE® Program<https://www.cve.org/> was first established in 1999, a CVE Record<https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRecord> consisted of only three elements: the CVE-ID<https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID> itself, a brief vulnerability description, and a reference URL directing to further relevant information. This solved an important problem: that two or more people or tools could refer to a vulnerability and know they are talking about the same thing, thereby saving significant time and cost from a single reference. Over the last 25 years, CVE has grown into the backbone of the vulnerability management ecosystem, with a federated governance model that includes partnering with CVE Numbering Authorities (CNAs)<https://www.cve.org/ProgramOrganization/CNAs> to grow CVE content and expand its use. At the same time, additional vulnerability-related information has become important to the cybersecurity community for increased transparency, enabling vulnerability root cause understanding, and prioritizing incident response, including CVSS<https://www.first.org/cvss/>, CWE<https://cwe.mitre.org/>, CPE<https://nvd.nist.gov/products/cpe>, amongst others. In recent months, significant shifts in the vulnerability management landscape have led to consumer frustrations in accessing these additional data fields related to CVE Records. Previously, downstream augmenters of CVE Record data (such as the NVD<https://nvd.nist.gov/>) have provided things like CVSS base scores and CWE mappings using public data, often causing contention with CNA<https://www.cve.org/ProgramOrganization/CNAs> product vendors who have access to the most reliable source for accurate determinations. Now there is another way. The CVE Board<https://www.cve.org/ProgramOrganization/Board> is proud to announce that the CVE Program has evolved its record format<https://www.cve.org/AllResources/CveServices#CveRecordFormat> to enhance automation capabilities and data enrichment. This format, utilized by CVE Services<https://www.cve.org/AllResources/CveServices>, facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record at the time of issuing a security advisory. This means the authoritative source (within their CNA scope) of vulnerability information — those closest to the products themselves — can accurately report enriched data to CVE directly and contribute more substantially to the vulnerability management process. Getting more accurate and precise information in the hands of the defenders and downstream customers on a timelier basis helps the vulnerability management ecosystem and the entire cybersecurity community in addressing risks. Please clap, like, and share, if possible: Medium: https://medium.com/@cve_program/new-cve-record-format-enables-additional-data-fields-at-time-of-disclosure-82eef1d4035e X-Twitter: https://twitter.com/CVEannounce/status/1783999604117180497 Mastodon: https://mastodon.social/@CVE_Program/112340085736467849 CVE LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:7189767269122482176 CVE-CWE LinkedIn Showcase page: https://www.linkedin.com/feed/update/urn:li:share:7189767420675338240/
Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]
