The CVE Program is maintained by the MITRE corporation and sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The CVE List is a list of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services.

The NVD augments the CVE List with additional enrichment, conversion of various data points into SCAP datatypes, a fine-grained search engine and granular APIs. The NVD is synchronized with CVE such that any updates to the CVE List appear in the NVD.

CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, enrichment efforts can begin the enrichment process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given time frame. NVD enrichment efforts use the reference information provided with the CVE and any publicly available information at the time of enrichment to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v4.0, CVSS v3.1, CWE, and CPE Applicability statements.

If any information is lacking, unclear or conflicts between sources, the NVD policy is to represent the worst-case scenario. The NVD takes this conservative approach to avoid under reporting the possible severity of a given vulnerability. Information can change over time, if new information is available and enrichment results should be amended to reflect that new information, please reach out to the NVD using our contact form.

The NVD does not participate in the vulnerability disclosure or the CVE publication process. Publication to the CVE List is controlled by the CVE Assignment Team. If you would like to report a vulnerability, please contact the CVE Assignment Team using the contact form at cveform.mitre.org.

The NVD processes the CVE List every hour to ingest new CVE publications, rejections, or modifications. The NVD only contains CVEs that have been published to the Official CVE List. Any CVE that is still in a **RESERVED** state will not be ingested into the NVD.

For information regarding a particular CVE dispute or to dispute the legitimacy of a CVE; You should contact the CVE Assignment Team using the form at cveform.mitre.org. The NVD does not participate in the vulnerability disclosure or the CVE publication process, nor are we involved in the determinations for the legitimacy of any CVE. These are all functions of the CVE Program and occur upstream from NVD efforts. As such, we do not have any insight into the nature of disputed CVEs aside from the information that is publicly available in the CVE Description, public forums, or advisories.

The NVD only contains CVEs that have been published to the CVE List. CVEs that have not been published are in the reserved state and their CVE Descriptions should reflect that by containing **RESERVED**. The publication to the CVE data feed is controlled by the CVE Assignment Team. Once the CVE is published in the CVE data feeds, it will be available on the NVD website within a few hours.

To report a problem with NVD data, please use our contact form.

All NIST publications are available in the public domain. Organizations seeking to automate the retrieval of NVD data should use the NVD’s Application Programing Interfaces (APIs).

Services which utilize or access the NVD are asked to display the following notice prominently within the application: "This product uses data from the NVD API but is not endorsed or certified by the NVD." You may use the NVD name to identify the source of the data. You may not use the NVD name, to imply endorsement of any product, service, or entity, not-for-profit, commercial or otherwise. For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, enrichment efforts can begin. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given time frame. The NVD updates CVE records as soon as enrichment is complete. CVE data and/or CPE names may later be updated . If modification occurs, the NVD will automatically refresh any relevant information.

If you have a suggestion on how to improve the NVD please share your user story with the NVD by using our contact form.

Ensure your user story includes a description of what you are looking to do (your what) and the problem you are looking to solve (your why).

The NVD implements request throttling to protect against Denial of Service attacks. Your organization or automated processes may have triggered them for your IP address. You can resolve this by reducing the frequency of requests to the website or APIs. If you are still experiencing access issues you should contact the NVD using our contact form.

The purpose of the United States Government Configuration Baseline (USGCB) (formerly the Federal Desktop Core Configuration (FDCC)) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. For more information please visit either of the following resources:

csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline

nist.gov/programs-projects/united-states-government-configuration-baseline