NVD Release of CVMAP


In response to the requests by CVE Numbering Authorities (CNAs) to publish their CVE metadata on the NVD site, the NVD has made several enhancements to the internal CVE workflow process and the NVD website to utilize this information. Notably, in November of 2019 (https://nvd.nist.gov/general/News/Assigner-CVSS-CWE-Support) , the NVD began consuming and displaying the CNA's CVSS v2, CVSS v3.1, and CWE data alongside the NVD CVSS and CWE data. Building on top of those efforts, the NVD is now beginning a Collaborative Vulnerability Metadata Acceptance Process (CVMAP) Program with the CNAs. This program was developed to formalize the process to ingest, review, and display the CNA's input provided through the CVE List.

This will result in changes to the NVD web site. CNAs will be given a more detailed level of attribution on both CVSS scores and CWEs, as explained in the "Understanding Acceptance Levels" link below. An interface will be made available for CNAs and the general public to review where a CVMAP report will be provided on generation that will enable users to easily compare the NVD and CNA provided information. This report will also provide a brief explanation of any differences between the NVD and CNA provided information.

For more details on the program, please visit the following informational pages:

The CVMAP process is intended to be a collaborative effort between the CNAs and the NVD team and modifications are expected as this process improves. This program will result in more consistent practices across the information security community when providing standards and text-based information, alleviate the strain caused by the growing volume of CVE publications on NVD staff, and continue to retain consistency and quality of information for all consumers of CVE data. If you would like to further discuss the CVMAP Program or have questions, please feel free to reach out to us at nvd@nist.gov.

V/r,

The National Vulnerability Database Team