Debug School

Cover image for CVE and NVD
Suyash Sambhare
Suyash Sambhare

Posted on


Introduction to CVE: Understanding Cybersecurity Vulnerabilities

The Common Vulnerabilities and Exposures (CVE) program serves as a comprehensive dictionary or glossary of known vulnerabilities in specific code bases, including software applications and open libraries. By referencing a unique identifier called the CVE ID, interested parties can access detailed information about these vulnerabilities. Over the years, the CVE program has gained significant awareness, emphasizing the need for participants and users to grasp its fundamental elements.

Key Points:

Origins and Maintenance:

  • Established in 1999, the CVE program is overseen by the MITRE corporation and sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
  • CVE IDs are primarily assigned by MITRE, but authorized organizations known as CVE Numbering Authorities (CNAs) also play a role. CNAs consist of vendors and researchers from various countries.
  • An advisory board comprising cybersecurity experts, academics, and software developers contributes to the program’s governance.

Industry Standard and Public Availability:

  • The CVE program aims to become the industry standard for identifying and cataloging vulnerabilities.
  • All information within the CVE project is publicly accessible, allowing stakeholders to discuss and research specific exploits. Vendors and cybersecurity professionals use CVE IDs for vulnerability research and identification. However, neither MITRE nor CNAs assist in mitigating or patching vulnerabilities listed in CVE.

CVE Assignment and Vetting Process:

  • CVE IDs are assigned by the CVE Assignment Team and CNAs. CNAs specialize in specific vulnerability types and follow guidelines to ensure accurate and timely vetting.
  • The Counting Process and inclusion decision tree help determine whether an individual vulnerability should be included in the CVE list. Multiple CVE IDs may be assigned if needed.
  • Reporters (often the discoverers of the bug) request CVE IDs, providing relevant details such as vulnerability type, affected code base, and vendor information.

Tags and Disputes:

  • RESERVED tags indicate vulnerabilities with assigned or potential CVE IDs that require additional details before finalization.
  • REJECTED tags are applied when a vulnerability is unsuitable for publication due to various reasons.
  • DISPUTED tags arise if vendors or authoritative entities challenge a vulnerability’s validity, either before or after analysis by the National Vulnerability Database (NVD).

NVD CVE Analysis:

  • The NVD analyzes each published CVE, making it available within an hour on the NVD platform.
  • Analysts then delve into the vulnerability details, contributing to the overall understanding of cybersecurity threats.


Understanding CVE Counting and the Role of CNAs

When it comes to newly discovered vulnerabilities in software or open libraries, many of them are submitted as potential entries to MITRE’s Common Vulnerability and Exposures (CVE) list. To ensure that these submissions meet the standards for assigning CVE IDs, a rigorous vetting process has been established. After assignment and publication of the IDs, the vulnerabilities undergo analysis by the National Vulnerability Database (NVD) and are subsequently made available on the NVD website. The organizations authorized to assign CVE IDs are known as CVE Numbering Authorities (CNAs).

Key Points:

Becoming a CNA:

  • Qualified organizations interested in volunteering their time can become CNAs.
  • CNAs have a specific scope for vetting vulnerabilities.
  • CNAs do not pay fees or sign contracts but adhere to rules for consistency.
  • Typically, CNAs are vendors or seasoned organizations with expertise in researching vulnerabilities and providing security advisories.
  • They often have an established user base and are consulted by researchers and vendors.

CNA Onboarding and Approval:

  • An onboarding process ensures that CNAs meet CVE program standards.
  • Potential CVE analysts and CNA candidates receive instructions and examples for vetting vulnerabilities.
  • Once approved, CNAs become operational.

CNA Hierarchy:

  • CNAs are categorized as Program Root (highest level), Root, and Sub-CNAs.
  • Sub-CNAs are overseen by Root CNAs.
  • All CNAs, regardless of hierarchy, follow the same rules.
  • Higher-level CNAs assign blocks of CVE IDs to subordinates.
  • Non-compliant CNAs may face sanctions and must undergo retraining.

Assigning CVE IDs:

  • Sub-CNAs are the primary choice for assigning IDs within their scope.
  • Root CNAs and the Program Root may be consulted if needed.
  • CNAs must provide an accessible URL with vulnerability information.
  • Malware and closed betas are ineligible for consideration.
  • Once cleared, CVE IDs are given to reporters, and CNAs inform code maintainers.

Vetting Process:

  • Two parts: determining the number of vulnerabilities and assessing eligibility for CVE IDs.
  • Counting Rules guide the first part, while inclusion decisions guide the latter.

Publication and Reporting:

  • CNAs write vulnerability descriptions, add references, and publish relevant information.
  • Reporting CVE IDs upstream within 24 hours is advised.


Top comments (0)