U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

General FAQs

  1. What is the difference between the CVE List and the NVD
  2. What is the NVD analysis process and how is it done?
  3. How do I report a vulnerability?
  4. How do vulnerabilities get into the NVD?
  5. How do I dispute a CVE in the NVD?
  6. A vulnerability is identified, and possibly assigned a CVE ID, why is it not in the NVD?
  7. How do I Report a problem with NVD data?
  8. How can my organization use the NVD data within our own products and services?
  9. How often is the data in the NVD updated?
  10. How do I provide a suggestion for improvement of the NVD website or data provided?
  11. Where can I learn more about SCAP (Security Automation Protocol)?
  12. My IP address appears to be blocked from accessing NVD data what should I do?
  13. Where can I find more information about USGCB or FDCC?
Q.
What is the difference between the CVE List and the NVD
A.
CVE® is a list of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services.  It is currently maintained by MITRE and is available at https://cve.mitre.org/cve/
NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.
The NVD is the CVE List augmented with additional analysis, a database, and a fine-grained search engine. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD.
Q.
What is the NVD analysis process and how is it done?
A.
Once a CVE has been published to the CVE List it is typically available in the NVD within an hour. Once a CVE is in the NVD, our analysts are able to perform analysis. This process can take time depending on the CVE, information available and the amount of CVEs published within a given timeframe. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, CVSS v2.0, CVSS v3.1, CWE and CPE Applicability statements. If any information is lacking, unclear or conflicts between sources, the NVD policy is to represent the worst-case scenario. The NVD takes this conservative approach to avoid underreporting the possible severity of a given vulnerability.  Information can change over time, in the event that new information is available and analysis results should be amended to reflect that new information, please reach out to the nvd using the nvd@nist.gov email.
Q.
How do I report a vulnerability?
A.
The NVD does not participate in the vulnerability disclosure or the CVE publication process. The publication to the CVE data feed is controlled by the CVE Assignment Team. Once the CVE is published in the CVE data feeds, it will be available on the NVD website within 24 hours. If you would like to report a vulnerability, please contact CERT/CC at https://www.kb.cert.org/vuls/report/ or the CVE Assignment Team using the form at https://cveform.mitre.org/.
Q.
How do vulnerabilities get into the NVD?
A.
The NVD processes the official CVE list every hour to ingest new CVE publications, rejections or modifications. The NVD only contains CVEs that have been published to the Official CVE List. Any CVE that is still in a **RESERVED** state will not be ingested into the NVD. 
Q.
How do I dispute a CVE in the NVD?
A.
The NVD does not participate in the vulnerability disclosure or the CVE publication process, nor are we involved in the determinations for the legitimacy of any particular CVE. These are all functions of the CVE Assignment Team and occur upstream from NVD efforts. As such, we do not have any insight into the nature of disputed CVEs aside from the information that is publicly available in the CVE Description, public forums or advisories. For information regarding a particular CVE dispute or to dispute the legitimacy of a CVE; external parties can contact the CVE Assignment Team using the form at https://cveform.mitre.org/.
Q.
A vulnerability is identified, and possibly assigned a CVE ID, why is it not in the NVD?
A.
The NVD only contains CVEs that have been published to the official CVE list. CVEs that have not been published are in the RESERVED state and their CVE Descriptions should reflect that by containing “** RESERVED **”.  The publication to the CVE data feed is controlled by the CVE Assignment Team.  Once the CVE is published in the CVE data feeds, it will be available on the NVD website within a few hours.
Q.
How do I Report a problem with NVD data?
A.
To report a problem with NVD data, please email us at nvd@nist.gov. For issues specifically regarding the CPE dictionary, please email cpe_dictionary@nist.gov.
Q.
How can my organization use the NVD data within our own products and services?
A.
All NVD data is freely available from our data feeds (https://nvd.nist.gov/vuln/data-feeds). There are no fees, licensing restrictions, or even a requirement to register. All NIST publications are available in the public domain according to Title 17 of the United States Code. Acknowledgment of the NVD when using our information is appreciated. In addition, please email nvd@nist.gov to let us know how the information is being used
Q.
How often is the data in the NVD updated?
A.
Changes made to the CVE List are populated in the NVD on an hourly basis. Once CVEs are available in the NVD analysts immediately begin analysis efforts which usually take between one and 3 days to publish depending on the volume of new CVE publications at any given time. Once changes are published, they are updated within the Recent and Modified Vulnerability feeds and the RSS feeds every two hours. All other data feeds offered by NVD are updated on a nightly basis.
Q.
How do I provide a suggestion for improvement of the NVD website or data provided?
A.
If you have a suggestion on how to improve the NVD please email (nvd@nist.gov) for feature or enhancement consideration.
Q.
Where can I learn more about SCAP (Security Automation Protocol)?
Q.
My IP address appears to be blocked from accessing NVD data what should I do?
A.
The NVD implements request throttling protections and your organization or automated processes may have triggered them for your IP address. You can resolve this by reducing the frequency of requests to the website or feeds to a more reasonable interval. If you are still experiencing access issues you can contact nvd@nist.gov for clarification.
Q.
Where can I find more information about USGCB or FDCC?
A.
The purpose of the United States Government Configuration Baseline (USGCB) (formerly the Federal Desktop Core Configuration (FDCC) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. 
More information can be found at:
USGCB:  https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline
FDCC:  https://www.nist.gov/programs-projects/federal-desktop-core-configuration-fdcc