Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 7/25/2014 1:39:29 PM

CVE Publication rate: 19.37

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 7.14
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

NVD Frequently Asked Questions

General Questions
Are vulnerabilities ever deleted from the NVD?
Could you please explain the calculation used for the CVSS calculator?
How can my organization use NVD data within our own products and services?
How do I link into NVD from my security product or service?
How do I sign-up for email subscriptions to receive vulnerability information?
How do I use the advanced search feature?
How does NVD assign vulnerability severity scores?
How often is the NVD updated?
How should I use the Common Vulnerability Scoring System (CVSS) scores provided by NVD?
I have a suggestion on how to improve the NVD website, who do I tell?
What is the difference between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
What is the purpose of the statistics engine?
Why does the NVD search engine return hyperlinks to non-NVD vulnerability resources?

Questions about Vulnerability Descriptions, Scores, and Common Platform Enumeration (CPE) Configurations
A vulnerability has been identified, and possibly a CVE has been assigned, why is it not in your database?
How do I submit a vulnerability
How does NVD assign impact types to vulnerabilities?
I am a software vendor and want to dispute that a vulnerability exists. What should I do?
I have found an error within an NVD Vulnerability Summary, what should I do?
I would like to dispute the score of a vulnerability, what should I do?
One of the links provided with the CVE points to an incorrect hyperlink, what should I do?
The vulnerability has been remediated; can you remove the CVE from the NVD?
What happens after a vulnerability is identified?
What is the difference between a base score, environmental score, and a temporal score?
What is the NVD Vendor Official Statement Service?


General Questions

Are vulnerabilities ever deleted from the NVD?
Vulnerabilities that are rejected by the CVE standard vulnerability dictionary are labeled as such in the description with an explanation of the problem. The vulnerability attribute fields are then cleared. The NVD website will show a webpage for rejected vulnerabilities if you send that CVE name in the URL but they are not included in a search result. In the NVD XML Data Feeds rejected vulnerabilities have the “reject” attribute within the entry field equal to “0”.

Could you please explain the calculation used for the CVSS calculator?
The CVSS Calculator is implemented according to the specification as found at http://www.first.org/cvss/cvss-guide.html. Section 3.2 has a list of all the equations, which should look similar to the page on the NVD. The NVD has an additional value called the Overall CVSS Score. The Overall CVSS Score is something specific to NVD and is the most concise score based on the metrics provided.

How can my organization use NVD data within our own products and services?
All NVD data is freely available from our XML Data Feeds. There are no fees, licensing restrictions, or even a requirement to register. All NIST publications are available in the public domain according to Title 17 of the United States Code. Acknowledgment of the NVD when using our information is appreciated. In addition, please email nvd@nist.gov to let us know how the information is being used.

How do I link into NVD from my security product or service?
Any product containing NVD or CVE data can be integrated with the NVD web site vulnerability summaries. To link to a particular vulnerability summary, simply use the hyperlink format http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0322 where "CVE-2001-0322" is replaced with the name of the vulnerability of interest. Note that one can leave out the "CVE" prefix and the link still works (e.g., http://web.nvd.nist.gov/view/vuln/detail?vulnId=2001-0322).

How do I sign-up for email subscriptions to receive vulnerability information?
The NVD does not currently deliver vulnerability information through email. Refer to the XML Data Feeds, specifically nvdcve-2.0-modified.xml and nvdcve-2.0-recent.xml, which include the most up-to-date vulnerability information in the repository.

How do I use the advanced search feature?
The advances search feature allows you to search for a specific vendor, product, published date, modified date, or any of the CVSS metrics. In addition you can search for any combination of these vulnerability criteria.

How does NVD assign vulnerability severity scores?
NVD uses the Common Vulnerability Scoring System (CVSS) Version 2. CVSS is an open standard for assigning vulnerability impacts that is used by a variety of organizations. See http://nvd.nist.gov/cvss.cfm?version=2 for more information for more information.

How often is the NVD updated?
The NVD is updated immediately with raw vulnerability information whenever a new vulnerability is added to the CVE standard dictionary of vulnerabilities. These raw vulnerabilities are then analyzed by NVD analysts and augmented with vulnerability attributes (e.g. vulnerable versions) within two-business days excluding Federal Holidays.

How should I use the Common Vulnerability Scoring System (CVSS) scores provided by NVD?
The NVD analysis process provides a Base metric vector and associated score as calculated using the CVSS Base Equation. Organizations can use this information, along with additional Temporal and Environmental vectors and scores, to determine an overall score. This score can then be used to assist in ranking the severity of vulnerabilities associated with the organization’s computer network, which can help determine mitigation strategies. For more information on CVSS metrics, vectors, and scores, please refer to http://www.first.org/cvss/cvss-guide.html.

I have a suggestion on how to improve the NVD website, who do I tell?
If you have a suggestion on how to improve the NVD please email nvd@nist.gov for feature or enhancement consideration.

What is the difference between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
NVD is the CVE standard augmented with additional analysis, a database, and a fine-grained search engine. NVD is a superset of CVE. NVD is synchronized with CVE such that any updates to CVE appear immediately on NVD.

What is the purpose of the statistics engine?
The NVD statistics engine allows users to generate statistics on vulnerability trends over time. Users can track particular products or vendors, or sets of vulnerabilities with particular attributes (such as remotely exploitable buffer overflows). The inclusion or exclusion of a product from the NVD does not denote how secure a product is. The vulnerabilities included in the NVD are largely those that are found by security researchers or self-reported by the vendor.

Why does the NVD search engine return hyperlinks to non-NVD vulnerability resources?
NVD integrates together publicly available U.S. government vulnerability resources within a single search engine. Thus, when a user performs a search, relevant U.S. government hyperlinks are returned. The search always returns a vulnerability summary for each CVE The "Resource Status" section on the NVD left bar shows how many non-NVD U.S. government vulnerability resources are integrated into NVD. Note that NVD also contains large numbers of industry vulnerability references within the NVD vulnerability summaries.

Questions about Vulnerability Descriptions, Scores, and Common Platform Enumeration (CPE) Configurations

A vulnerability has been identified, and possibly a CVE has been assigned, why is it not in your database?
Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE. Please check the CVE dictionary first, and if you have further questions about a specific CVE and when it will be available, please contact cve@mitre.org directly.

How do I submit a vulnerability
The NIST National Vulnerability Database does not accept vulnerability reports directly. If you would like to report a vulnerability please contact CERT/CC at https://forms.cert.org/VulReport/.

How does NVD assign impact types to vulnerabilities?
The NVD assigns vulnerabilities the following impact types: confidentiality ("allows unauthorized disclosure of information"), integrity ("allows unauthorized modification"), availability ("allows disruption of service"), and security protection ("provides unauthorized access"). The "provides unauthorized access" category refers to the acquisition of general privileges in the application or entire computer (e.g., getting "root access" or an application account). This category has three possible sub-categorizations: one for user level access to the operating system, another for getting administrator privileges, and another for other privileged access. Note that NVD only records what impact types a vulnerability directly allows. Many vulnerabilities give an attacker general privileges on a computer or within an application (e.g., the ability to execute code). With that privilege, it is assumed an attacker can violate the confidentiality, integrity, or availability of the affected context.

I am a software vendor and want to dispute that a vulnerability exists. What should I do?
The NVD is completely based upon the CVE standard vulnerability dictionary. To dispute a vulnerability, contact CVE at cve@mitre.org (and carbon copy NVD at nvd@nist.gov in the email). CVE will correct the problem (or mark the vulnerability as “vendor disputed”) and NVD will automatically update with the new information.

I have found an error within an NVD Vulnerability Summary, what should I do?
Send an email to cve@mitre.org to request updates to the vulnerability descriptions, with an explanation of the error and any relevant details (e.g. sources of information that demonstrate the error). If it is determined that a CVE’s vulnerability summary should be revised, they will update their data feed, which will generally be updated in the the NVD feeds within 24 hours of an update to the CVE data feed. When you hear that the vulnerability description will be updated please email nvd@nist.gov, so we can make any required changes.

I would like to dispute the score of a vulnerability, what should I do?
If you believe a score should be changed based on publicly available information that may not have been available at the time of the scoring please email a description of the issue with supporting public information to nvd@nist.gov and the NVD analysts will review the score and respond appropriately.

One of the links provided with the CVE points to an incorrect hyperlink, what should I do?
If you discover that a hyperlink does not reference the correct CVE please email cve@mitre.org with the incorrect link and any other applicable information.

The vulnerability has been remediated; can you remove the CVE from the NVD?
The NVD does not remove vulnerabilities from the database. If you wish to dispute a CVE, please contact cve.mitre.org (cve@mitre.org) who controls the assignment, description, and deprecation of CVEs. If it is determined that a CVE should not have been assigned, they will update their data feed, which will then be updated in the NVD feeds within 24 hours. In addition you can also submit a vendor comment through the NVD Vendor Official Statement Service. If you are the vendor and would like to add a reference link to a patch, please email cve.mitre.org to have the link added.

What happens after a vulnerability is identified?
CVE identifiers are assigned by CVE and other CVE Numbering Authorities (CNAs). The NVD receives data feeds from the CVE website and in turn performs analysis to determine impact metrics (CVSS), vulnerability types (CWE), and applicability statements (CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors and third party security researchers to provide information that is then used assign these attributes. We then perform additional research to confirm that CPEs comply with CPE specifications and include them in the official CPE dictionary. As additional information becomes available CVSS scores and configurations are subject to change.

What is the difference between a base score, environmental score, and a temporal score?
(CVSS)provides the following definition for the three types of scores: Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. Temporal: represents the characteristics of a vulnerability that change over time but not among user environments. Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. The NVD provides the base score for vulnerabilities. Individual users can then apply temporal and environmental scores to the vulnerability to more accurately reflect their unique environment. For more information related to CVSS please refer to (CVSS) Version 2. A complete CVSS v2 calculator is available at CVSS Calculator

What is the NVD Vendor Official Statement Service?
If you would like to provide an official vendor comment, which can include information regarding links to patches or product updates, please submit the specific text or information from a valid vendor email address to nvd@nist.gov, and we will be happy to post it verbatim for the associated CVE.