New CVE Record Format Enables Additional Data Fields at Time of Disclosure
When the CVE® Program was first established in 1999, a CVE Record consisted of only three elements: the CVE-ID itself, a brief vulnerability description, and a reference URL directing to further relevant information. This solved an important problem: that two or more people or tools could refer to a vulnerability and know they are talking about the same thing, thereby saving significant time and cost from a single reference.
Over the last 25 years, CVE has grown into the backbone of the vulnerability management ecosystem, with a federated governance model that includes partnering with CVE Numbering Authorities (CNAs) to grow CVE content and expand its use. At the same time, additional vulnerability-related information has become important to the cybersecurity community for increased transparency, enabling vulnerability root cause understanding, and prioritizing incident response, including CVSS, CWE, CPE, amongst others.
In recent months, significant shifts in the vulnerability management landscape have led to consumer frustrations in accessing these additional data fields related to CVE Records. Previously, downstream augmenters of CVE Record data (such as the NVD) have provided things like CVSS base scores and CWE mappings using public data, often causing contention with CNA product vendors who have access to the most reliable source for accurate determinations.
