) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Vulnerability Status
Vulnerability records within the NVD dataset are sourced from the CVE List, which is maintained by the CVE Program, upstream of the NVD. This page provides information regarding both the CVE Program and NVD sets of statuses and how they relate to each other.
CVE List Statuses
This information is derived from the CVE Program FAQs.
| CVE List Status | Description |
|---|---|
| RESERVED |
A CVE Record is marked as “RESERVED” when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet published. “RESERVED” is the initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA. A CVE Record can change from the RESERVED state to being published at any time based on a number of factors both internal and external to the CVE List. Note: Reserved CVE Records are not included in the NVD dataset. |
| PUBLISHED | A CNA has populated the data associated with the CVE ID and published the CVE Record. |
| REJECT |
A CVE Record listed as “REJECTED” is a CVE Record that is not accepted as a CVE Record. The reason a CVE Record is marked REJECTED will most often be stated in the description of the CVE Record. Possible examples include it being a duplicate CVE Record, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECTED CVE Records should be ignored and the CVE ID and the associated CVE Record should no longer be used. A REJECTED CVE Record remains on the CVE List so that users know that the CVE ID and CVE Record are invalid. |
NVD Statuses
| NVD Status | NVD API Status | Description |
|---|---|---|
| Received | Received | The CVE has recently been published to the CVE List and is now included within the NVD dataset. |
| Awaiting Enrichment | Awaiting Analysis | The CVE has been marked for NVD enrichment efforts. |
| Undergoing Enrichment | Undergoing Analysis | The CVE is currently being enriched by the NVD Enrichment team. The enrichment process results in the association of reference link tags, CVSS, CWE, and CPE applicability statement data. |
| Enriched | Analyzed | NVD’s CVE enrichment process is complete. CVEs in this status do not show a banner on the vulnerability detail page. |
| Modified After Enrichment | Modified | The CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes. Although not routinely reviewed, requests may be made for review. |
| Not Scheduled | Deferred | The CVE is not currently scheduled for NVD enrichment efforts. The CVE may be out of NVD’s declared scope of coverage or has not been prioritized due to resource or other concerns. Requests may be made to schedule for enrichment. |
| Rejected | Rejected | The CVE has been marked Rejected in the CVE List. Rejection of a CVE is determined by the CVE Program and not the NVD. |
CVE List and NVD Status Comparison
This table shows how the statuses from each organization relate to each other.
| CVE List Status | NVD Status | NVD API Status |
|---|---|---|
| RESERVED | Not included in NVD dataset | Not included in NVD dataset |
PUBLISHED |
Received Awaiting Enrichment Undergoing Enrichment Enriched Modified After Enrichment Not Scheduled |
Received Awaiting Analysis Undergoing Analysis Analyzed Modified Deferred |
| REJECTED | Rejected | Rejected |
NVD Status Workflow Diagram
The workflow depicted below shows when a CVE status can change and whether it occurs by NVD process, NVD staff decisions, users of NVD data, or changes in response to a CVE Program Process
