Vulnerabilities are identified by CVE Numbering Authorities (CNA), individuals, or organizations and reported to the CVE Program. When a vulnerability is identified, the CVE Assignment Team or CNA may assign the vulnerability a CVE Identifier (CVE-ID). A determination is then made by the CNA or CVE Assignment Team to publish the information for the CVE, changing the CVE in the Official CVE List from being marked **RESERVED** to having a published CVE Description and Reference links.

The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1 base metrics, CWE, and CPE Applicability statements.

The NVD includes statuses for both the NVD and CVE Program workflows. For details on the statuses that each organization uses please reference nvd.nist.gov/vuln/vulnerability-status.

Once a CVE is in the NVD, analysts can begin the analysis process. After analysis is complete, CVE data may be updated (modified). If modification occurs, the NVD will automatically refresh any associated CVE records. The NVD publishes a changelog for every CVE that may be accessed on the CVE record’s detail page or the Change History API.

If the CVE changes to the REJECTED status in the CVE List, the NVD record will also change to REJECTED and any previously associated data will be removed except for the CVE Description. The CVE Description is then be updated to reflect what information is present in the CVE List as rejected CVE descriptions explain the rejection.

No. If a vulnerability has been remediated, it still exists in unpatched code. Similarly, vulnerabilities that are marked as rejected in the CVE Assignment Team or CNAs also remain in the database.

The NVD does not have direct control over CVE descriptions or reference links provided by the CVE List. You will need to contact the CVE Assignment Team using the form at cveform.mitre.org. Changes from the CVE List to a CVE already published in the NVD will be populated on the website and API within 24 hours.

NVD analysts apply reference tags (e.g., Vendor Advisory, Patch, Third Party Advisory) to CVE reference links provided in the CVE List. Reference tags categorize the links and help make sense of the information.

CVSS is an industry standard used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS v2.0, 3.0 and 3.1 consist of three metric groups: Base, Temporal, and Environmental. It is maintained by the FIRST CVSS Special Interest Group (SIG). NVD's CVSS calculator is implemented according to the specification found at first.org/cvss/specification-document.

The NVD also offers the public CVSS calculators for CVSS v2.0, 3.0 and 3.1. The CVSS v3 calculator page contains buttons which allow users to toggle between CVSS v3.0 and 3.1 equations.

nvd.nist.gov/vuln-metrics/cvss/v2-calculator

nvd.nist.gov/vuln-metrics/cvss/v3-calculator

NVD analysts provide CVSS Vector strings for base metrics that produce a score ranging from 0 to 10, which can then be modified by assessing the Temporal and Environmental metrics. Organizations can use this information, along with their own individualized Temporal and Environmental vectors and metrics, to determine an overall score. The overall score can then be used in ranking the severity of vulnerabilities associated with the organization’s information systems and help to determine mitigation strategies.

Any issues regarding the data associated by NVD analysts can be disputed by contacting NVD staff using our contact form.

The NVD assesses CVEs using publicly available information at the time of analysis. To ensure that the vector strings in the NVD reflect publicly available information and abide by CVSS specification guidelines, CVSS vector strings provided by third parties are not copied outright. This can lead to differences in CVSS vector strings between different parties. Usually NVD and vendor/third party vector strings differ due to information being overly vague or unavailable at the time of analysis. If you believe that a CVSS vector string should be revised, please contact the NVD using our contact form and provide publicly available information that corroborates any claims.

The NVD is prioritizes the analysis of new vulnerabilities or vulnerabilities that have changed since their last analysis. At this time, there are no plans to retroactively score vulnerabilities published before Dec 20, 2015 with CVSS v3.0 scores.

A similar approach is planned for after the release of CVSSv4.

Third-party organizations may release advisories regarding a CVE-ID prior to that CVE being published in the CVE List. The CVE Program refers to these as “Reserved but Public” (RBP). The NVD does not participate in the vulnerability disclosure or the CVE publication process. CVEs are typically available in the NVD within an hour of being published to the CVE List. If you have further questions, please contact the CVE Assignment Team directly at cveform.mitre.org.