How does a vulnerability or exposure become a CVE Identifier?
The process begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE Identifiers with candidate status (also called a candidate, candidate number, or CAN) by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and is proposed to the Board by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA The CVE Editorial Board discusses the candidate and votes on whether or not it should become an official CVE entry. If the candidate is rejected, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the candidate is accepted, its status is updated to “entry” on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry. For more a more detailed description of this process, refer to About CVE Identifiers, CVE Editorial Policies, and How We Build the CVE List.
Related Questions
- What is the relationship between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
- What is the difference between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
- How does a vulnerability or exposure become a CVE Identifier?
