U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

General FAQs

  1. What is the difference between the CVE List and the NVD?
  2. What is the NVD analysis process and how is it done?
  3. How do I report a vulnerability?
  4. How do vulnerabilities get into the NVD?
  5. How do I dispute a CVE in the NVD?
  6. A vulnerability is identified, and possibly assigned a CVE ID, why is it not in the NVD?
  7. How do I Report a problem with NVD data?
  8. How can my organization use the NVD data within our own products and services?
  9. How often is the data in the NVD updated?
  10. How do I provide a suggestion for improvement of the NVD website or data provided?
  11. Where can I learn more about SCAP (Security Automation Protocol)?
  12. My IP address appears to be blocked from accessing NVD data what should I do?
  13. Where can I find more information about USGCB or FDCC?
Q.
What is the difference between the CVE List and the NVD?
A.

The CVE Program is maintained by the MITRE corporation and sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The CVE List is a list of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services.

The NVD augments the CVE List with additional analysis, conversion of various data points into SCAP datatypes, a fine-grained search engine and granular APIs. The NVD is synchronized with CVE such that any updates to the CVE List appear in the NVD.

Q.
What is the NVD analysis process and how is it done?
A.

CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given time frame. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements.

If any information is lacking, unclear or conflicts between sources, the NVD policy is to represent the worst-case scenario. The NVD takes this conservative approach to avoid under reporting the possible severity of a given vulnerability. Information can change over time, if new information is available and analysis results should be amended to reflect that new information, please reach out to the NVD using the contact form at nvd.nist.gov/info/contact-form.

Q.
How do I report a vulnerability?
A.

The NVD does not participate in the vulnerability disclosure or the CVE publication process. Publication to the CVE List is controlled by the CVE Assignment Team. If you would like to report a vulnerability, please contact the CVE Assignment Team using the contact form at cveform.mitre.org.

Q.
How do vulnerabilities get into the NVD?
A.

The NVD processes the CVE List every hour to ingest new CVE publications, rejections, or modifications. The NVD only contains CVEs that have been published to the Official CVE List. Any CVE that is still in a **RESERVED** state will not be ingested into the NVD.

Q.
How do I dispute a CVE in the NVD?
A.

For information regarding a particular CVE dispute or to dispute the legitimacy of a CVE; You should contact the CVE Assignment Team using the form at cveform.mitre.org. The NVD does not participate in the vulnerability disclosure or the CVE publication process, nor are we involved in the determinations for the legitimacy of any CVE. These are all functions of the CVE Program and occur upstream from NVD efforts. As such, we do not have any insight into the nature of disputed CVEs aside from the information that is publicly available in the CVE Description, public forums, or advisories.

Q.
A vulnerability is identified, and possibly assigned a CVE ID, why is it not in the NVD?
A.

The NVD only contains CVEs that have been published to the CVE List. CVEs that have not been published are in the reserved state and their CVE Descriptions should reflect that by containing **RESERVED**. The publication to the CVE data feed is controlled by the CVE Assignment Team. Once the CVE is published in the CVE data feeds, it will be available on the NVD website within a few hours.

Q.
How do I Report a problem with NVD data?
A.

To report a problem with NVD data, please use the contact form at nvd.nist.gov/info/contact-form.

Q.
How can my organization use the NVD data within our own products and services?
A.

All NIST publications are available in the public domain. Organizations seeking to automate the retrieval of NVD data should use the NVD’s Application Programing Interfaces (APIs).

Services which utilize or access the NVD are asked to display the following notice prominently within the application: "This product uses data from the NVD API but is not endorsed or certified by the NVD." You may use the NVD name to identify the source of the data. You may not use the NVD name, to imply endorsement of any product, service, or entity, not-for-profit, commercial or otherwise. For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Q.
How often is the data in the NVD updated?
A.

CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given time frame. The NVD updates CVE records as soon as analysis is complete. CVE data and/or CPE names may later be updated . If modification occurs, the NVD will automatically refresh any relevant information.

Q.
How do I provide a suggestion for improvement of the NVD website or data provided?
A.

If you have a suggestion on how to improve the NVD please share your user story with the NVD by using the contact form at nvd.nist.gov/info/contact-form.

Ensure your user story includes a description of what you are looking to do (your what) and the problem you are looking to solve (your why).

Q.
Where can I learn more about SCAP (Security Automation Protocol)?
Q.
My IP address appears to be blocked from accessing NVD data what should I do?
A.

The NVD implements request throttling to protect against Denial of Service attacks. Your organization or automated processes may have triggered them for your IP address. You can resolve this by reducing the frequency of requests to the website or APIs. If you are still experiencing access issues you should contact the NVD using the form at nvd.nist.gov/info/contact-form for investigation.

Q.
Where can I find more information about USGCB or FDCC?
A.

The purpose of the United States Government Configuration Baseline (USGCB) (formerly the Federal Desktop Core Configuration (FDCC) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. For more information please visit either of the following resources:

csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline

nist.gov/programs-projects/united-states-government-configuration-baseline