U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Start Here

The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. A unique identifier known as the CVE ID allows stakeholders a common means of discussing and researching a specific, unique exploit. The Common Platform Enumeration (CPE) program fufills a function similar to the CVE program for IT products and platforms. The Security Content Automation Protocol (SCAP) program combines CVE and CPE in a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements.

The NVD maintains the authoritative CPE dictionary, while the CVE program is maintained by the MITRE corporation. Both programs are sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v2.0, CVSS v3.1, CWE, and CPE Applicability statements.

CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given timeframe. After analysis is provided, CVEs may be updated (modified). If modifications are available, the NVD publishes these updates once every two hours. The CPE Dictionary is updated nightly when modifications or new names are added.

Request an API Key

  1. On the API key requests page, enter data into the three fields on the requests form.
  2. Scroll to the bottom of the Terms of Use, and then click the check box marked “I agree to the Terms of Use.”
  3. Check the inbox of the email address provided in the steps above for an email from nvd-noreply@nist.gov.
  4. Activate and view the API Key by opening the single-use hyperlink. Store the API Key in a secure location as the page will no longer be available after it is closed. If your key is not activated within seven days, a request for a new API Key must be submitted.

Each API Key is associated with a single email address. If an email address is used to request an additional API key, clicking the single-use hyperlink will invalidate the key previously associated with that email address.  The key will not be invalidated if the email is used to request another key, but the link is not opened. There is no process for retrieving a forgotten key.

Rate Limits

Requesting an API key allows for users to make a greater number of requests in a given time than they could otherwise. The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window.

The best practice for making requests within the rate limit is to use the modified date parameters. No more than once every two hours, automated requests should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time. Enterprise scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE information. It is also recommended that users "sleep" their scripts for six seconds between requests.

Keep Up To Date with the NVD

The process of requesting an API key requires users to provide a valid email address. About twice a year, the NVD may send a user experience survey to any email addresses that have requested an API key. The NVD does not automatically enroll these addresses in any discussion group or mailing list. It is recommended that developers using the NVD API opt into the NVD News Google Group . This group can be a valuable resource for enterprise application developers and novice researchers alike.

Questions, comments, or concerns may be shared with the NVD by emailing nvd@nist.gov