- What is the CVE Lifecycle?
- What are CVE Statuses in NVD?
- What does it mean when a CVE status says "Modified"?
- If a CVE has been remediated can it be removed from the NVD?
- How do I request a change to a CVE description or reference links?
- What are reference tags?
- How does the CVSS calculation work and where is it from?
- How should I use CVSS scores provided by NVD?
- How do I dispute a CVSS vector string provided by NVD?
- Why don’t scores provided by NVD match scores provided by vendors or other parties?
- Have all older CVEs been updated to CVSSv3?
- Why does the NVD not contain a CVE-ID that is publicly disclosed?
Q.
What is the CVE Lifecycle?
A.
Vulnerabilities are identified by CVE Numbering Authorities (CNA), individuals, or organizations and reported to the CVE Program. When a vulnerability is identified, the CVE Assignment Team or CNA may assign the vulnerability a CVE Identifier (CVE-ID). A determination is then made by the CNA or CVE Assignment Team to publish the information for the CVE, changing the CVE in the Official CVE List from being marked **RESERVED** to having a published CVE Description and Reference links.
The National Vulnerability Database (NVD) is tasked with enriching each CVE once it has been published to the CVE List. NVD enrichment efforts use the reference information provided with the CVE and any publicly available information at the time of enrichment to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v4.0, CVSS v3.1 base metrics, CWE, and CPE Applicability statements.
Q.
What are CVE Statuses in NVD?
A.
The NVD includes statuses for both the NVD and CVE Program workflows. For details on the statuses that each organization uses please reference nvd.nist.gov/vuln/vulnerability-status.
Q.
What does it mean when a CVE status says "Modified"?
A.
Once a CVE is in the NVD, enrichment efforts can begin. After enrichment is complete, CVE data may be updated (modified). If modification occurs, the NVD will automatically refresh any associated CVE records. The NVD publishes a changelog for every CVE that may be accessed on the CVE record’s detail page or the Change History API.
If the CVE changes to the REJECTED status in the CVE List, the NVD record will also change to REJECTED and any previously associated data will be removed except for the CVE Description. The CVE Description is then be updated to reflect what information is present in the CVE List as rejected CVE descriptions explain the rejection.
Q.
If a CVE has been remediated can it be removed from the NVD?
A.
No. If a vulnerability has been remediated, it still exists in unpatched code. Similarly, vulnerabilities that are marked as rejected in the CVE Assignment Team or CNAs also remain in the database.
Q.
How do I request a change to a CVE description or reference links?
A.
The NVD does not have direct control over CVE descriptions or reference links provided by the CVE List. You will need to contact the CVE Assignment Team using the form at cveform.mitre.org. Changes from the CVE List to a CVE already published in the NVD will be populated on the website and API within 24 hours.
Q.
What are reference tags?
A.
See AlsoCVEs and the NVD ProcessNVD enrichment efforts associate reference tags (e.g., Vendor Advisory, Patch, Third Party Advisory) to CVE reference links provided in the CVE List. Reference tags categorize the links and help make sense of the information.
Q.
How does the CVSS calculation work and where is it from?
A.
CVSS is an industry standard used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS v2.0, 3.0 and 3.1 consist of three metric groups: Base, Temporal, and Environmental. CVSS v4.0 consists of four metric groups: Base, Threat, Environmental and Supplemental.Each is maintained by the FIRST CVSS Special Interest Group (SIG). NVD's CVSS calculator is implemented according to the specification found at first.org/cvss/specification-document.
The NVD also offers the public CVSS calculators for CVSS v2.0, v3.0, v3.1 and v4.0. The CVSS v3 calculator page contains buttons which allow users to toggle between CVSS v3.0 and 3.1 equations.
nvd.nist.gov/vuln-metrics/cvss/v2-calculator
Q.
How should I use CVSS scores provided by NVD?
A.
NVD enrichment efforts provide CVSS Vector strings for base metrics that produce a score ranging from 0 to 10, which can then be modified by assessing the Temporal and Environmental metrics. Organizations can use this information, along with their own individualized Temporal and Environmental vectors and metrics, to determine an overall score. The overall score can then be used in ranking the severity of vulnerabilities associated with the organization’s information systems and help to determine mitigation strategies.
Q.
How do I dispute a CVSS vector string provided by NVD?
A.
Any issues regarding the data associated by NVD enrichment efforts can be disputed by contacting NVD staff using ourcontact form.
Q.
Why don’t scores provided by NVD match scores provided by vendors or other parties?
A.
The NVD assesses CVEs using publicly available information at the time of enrichment. To ensure that the vector strings in the NVD reflect publicly available information and abide by CVSS specification guidelines, CVSS vector strings provided by third parties are not copied outright. This can lead to differences in CVSS vector strings between different parties. Usually NVD and vendor/third party vector strings differ due to information being overly vague or unavailable at the time of enrichment. If you believe that a CVSS vector string should be revised, please contact the NVD using ourcontact form and provide publicly available information that corroborates any claims.
Q.
Have all older CVEs been updated to CVSSv3?
A.
The NVD is prioritizes the enrichment of new vulnerabilities or vulnerabilities that have changed since their last enrichment. At this time, there are no plans to retroactively assess vulnerabilities published before Dec 20, 2015 with CVSS v3.0 scores.
A similar approach is planned for after the release of CVSSv4.
Q.
Why does the NVD not contain a CVE-ID that is publicly disclosed?
A.
Third-party organizations may release advisories regarding a CVE-ID prior to that CVE being published in the CVE List. The CVE Program refers to these as “Reserved but Public” (RBP). The NVD does not participate in the vulnerability disclosure or the CVE publication process. CVEs are typically available in the NVD within an hour of being published to the CVE List. If you have further questions, please contact the CVE Assignment Team directly atcveform.mitre.org.
Created September 20, 2022 , Updated June 27, 2024
