Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 12/26/2014 1:36:36 AM

CVE Publication rate: 18.77

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 7.69
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

NVD Frequently Asked Questions

General Questions

Questions about Vulnerability Descriptions, Scores, and Common Platform Enumeration (CPE) Configurations

National Checklist Program (NCP) Questions


NVD FAQ Answers

General Questions

What is the difference between the NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
The NVD  is the CVE dictionary augmented with additional analysis, a database, and a fine-grained search engine. The NVD is a superset of CVE. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD.
How does the NVD assign vulnerability severity scores?
The NVD uses the Common Vulnerability Scoring System (CVSS) Version 2, which is is an open standard for assigning vulnerability impacts that is used by a variety of organizations. NISTIR 7946 - CVSS Implementation Guidance describes methodologies developed by the NVD  for using CVSS, and along with Appendix B describes the NVD’s entire vulnerability assessment process.
How should I use the CVSS scores provided by the NVD?
The NVD analysis process provides a Base metric vector and associated score as calculated using the CVSS Base Equation. Organizations can use this information, along with additional Temporal and Environmental vectors and scores, to determine an overall score. This score can then be used to assist in ranking the severity of vulnerabilities associated with the organization’s computer network, which can help determine mitigation strategies. For more information on CVSS metrics, vectors, and scores, please refer to the CVSSv2 Complete Documentation.
Could you please explain the calculation used for the CVSS calculator?
The CVSS calculator is implemented according to the specification as found at http://www.first.org/cvss/cvss-guide.html. Section 3.2 has a list of all the equations, which should look similar to the page published on the NVD website. The NVD has an additional value called the Overall CVSS Score. The Overall CVSS Score is something specific to the NVD and is the most concise score based on the metrics provided.
How can my organization use the NVD data within our own products and services?
All NVD data is freely available from our XML Data Feeds. There are no fees, licensing restrictions, or even a requirement to register. All NIST publications are available in the public domain according to Title 17 of the United States Code. Acknowledgment of the NVD  when using our information is appreciated. In addition, please email nvd@nist.gov to let us know how the information is being used. 
How often is the NVD updated?
The NVD is updated whenever a new vulnerability is added to the CVE dictionary of vulnerabilities. The vulnerabilities are then analyzed by NVD analysts and augmented with vulnerability attributes (e.g. vulnerable versions) within two-business days excluding Federal Holidays.
Are vulnerabilities ever deleted from the NVD?
Vulnerabilities that are marked as rejected by the CVE editors are labeled as such in the description. The vulnerability attribute fields are then cleared. The NVD website will show a webpage for rejected vulnerabilities if you send that CVE name in the URL but they are not included in a search result. In the XML Data Feeds, rejected vulnerabilities have the “reject” attribute within the entry field equal to “0”.
What is the purpose of the statistics engine?
The NVD statistics engine allows users to generate statistics on vulnerability trends over time. Users can track particular products or vendors, or sets of vulnerabilities with particular attributes (such as remotely exploitable buffer overflows). The inclusion or exclusion of a product from the NVD does not denote how secure a product is. The vulnerabilities included in the NVD are largely those that are found by security researchers or self-reported by the vendor.
How do I sign-up for email subscriptions to receive vulnerability information?
Currently, the NVD does not deliver vulnerability information through email. Refer to the XML Data Feeds page to learn more about how to stay up to date.
I have a suggestion on how to improve the NVD website, who do I tell?
If you have a suggestion on how to improve the NVD please email for feature or enhancement consideration.

Questions about Vulnerability Descriptions, Scores, and Common Platform Enumeration (CPE) Configurations

What happens after a vulnerability is identified?
CVE identifiers are assigned by CVE and other CVE Numbering Authorities (CNAs). The NVD receives data feeds from the CVE website and in turn performs analysis to determine impact metrics (CVSS), vulnerability types (CWE), and applicability statements (CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors and third party security researchers to provide information that is then used assign these attributes. We then perform additional research to confirm that CPEs comply with CPE specifications and include them in the official CPE dictionary. As additional information becomes available CVSS scores and configurations are subject to change.
A vulnerability has been identified, and possibly a CVE has been assigned, why is it not in your database?
Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE. Please check the CVE dictionary first, and if you have further questions about a specific CVE and when it will be available, please contact cve@mitre.org directly.
I have found an error within an NVD Vulnerability Summary, what should I do?
Send an email to cve@mitre.org to request updates to the vulnerability descriptions, with an explanation of the error and any relevant details (e.g. sources of information that demonstrate the error). If it is determined that a CVE vulnerability summary should be revised, they will update their data feed, which will generally be updated in the NVD within 24 hours of an update to the CVE data feed. When you hear that the vulnerability description will be updated please email the NVD to ensure any required changes occur.
One of the links provided with the CVE points to an incorrect hyperlink, what should I do?
If you discover that a hyperlink does not reference the correct CVE please email cve@mitre.org with the incorrect link and any other applicable information.
I am a software vendor and want to dispute that a vulnerability exists. What should I do?
The NVD is based upon the CVE standard vulnerability dictionary. To dispute a vulnerability, contact the CVE Editorial Board (and carbon copy the NVD) Any action taken will be published in the CVE dictionary data feeds, and reflected on the NVD Vulnerability summary page within 24 hours.
I would like to dispute the score of a vulnerability. What should I do?
If you believe a score should be changed based on publicly available information that may not have been available at the time of the scoring please email including the CVE ID and a description of the issue with supporting public information and the NVD analysts will review the score and respond appropriately.
The vulnerability has been remediated; can you remove the CVE from the NVD?
The NVD does not remove vulnerabilities from the database. If you wish to dispute a CVE, please contact the CVE Editorial Board who controls the assignment, description, and deprecation of CVEs. If it is determined that a CVE should not have been assigned, they will update their data feed, which will then be updated in the NVD feeds within 24 hours. In addition you can also submit a vendor comment through the
What is the NVD Vendor Official Statement Service?
If you would like to provide an official vendor comment, which can include information regarding links to patches or product updates, please submit the specific text or information from a valid vendor email address and we will post it for the associated CVE.
How do I report a vulnerability to the NVD?
The NIST National Vulnerability Database does not accept vulnerability reports directly. If you would like to report a vulnerability, please contact CERT/CC.
How do I find out more information about the United States Government Configuration Baseline?
Go to The United States Government Configuration Baseline (USGCB) - FAQ page.
How do I find out more about SCAP?
Go to Security Content Automation Protocol (SCAP) Validation FAQ

National Checklist Program (NCP) Questions

How do I find a checklist?
Preform a search of the National Checklist Program Repository. The search engine provides filters to specify any known information such as Checklist Tier, Target Product, Product Category, Authority, or by using a specific keyword to locate checklists. If the checklist is not in the NCP, please contact your organizations security division for guidance related to system configuration submitting a new checklist to the NCP.
If I have specific questions about the checklist who do I contact?
Please refer to the Point of Contact section on the Checklist Detail page.
How do I submit a new checklist to the NCP?
Please refer to Special Publication 800-70r2 - National Checklist Program for IT Products — Guidelines for Checklist Users and Developers, Section 5.2.