Skip to content
This repository has been archived by the owner on Aug 12, 2020. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


CVE assignment documentation - this document replaces

Please note that this document pertains to CVE's for issues found in Open Source programs, not closed source programs, if you need a CVE for a closed source program I suggest you go to MITRE directly.

Copyright: Red Hat 2016 Author: Kurt Seifried (

What is CVE?

A CVE is a common name for a single security vulnerability so that we can identify and talk about issues sanely (e.g. "that OpenSSL vulnerability, from like 2009, the DoS one" vs. "CVE-2009-3555"). CVE allows multiple vendors, products, and customers to properly track security vulnerabilities and make sure they are dealt with.

The CVE database is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Why should I get a CVE for my security issue?

Because it makes it much easier to track, discuss and otherwise handle security issues for everyone. Upstream vendors, downstream vendors, security tracking firms, customers, security products, etc. all increasingly rely upon CVE to identify issues clearly.

Why should I get my CVE before going public?

Getting the CVE before public release makes tracking the issue much easier, if you release the issue and then get a CVE for it everyone will have to update their information (considering how many organizations consume security reports, this is a lot of effort). Also if other similar issues are released it makes tracking much easier rather than playing the "well it sounds like this one but maybe it's that other one?"

How do I request a CVE?

There are several main ways to get a CVE:

  1. Does the software in question belong to an organization that can assign CVEs? If so you should contact them first to request a CVE. If they are not responsive you should contact their parents CVE organization for resolution. A list of CNAs for MITRE is available at and for Open Source CNAs a list is maintained at
  2. If the software in question doesn’t belong to an organization that can assign CVEs there are entities that do CVE assignments for various software categories (e.g. the DWF can do CVE assignments for Open Source software), the DWF is available at
  3. There are also organizations that to security vulnerability coordination and can assign CVEs to vulnerabilities such as CERT/CC, Hackerone, JPCERT/CC and so on, for a list of these please see
  4. If there is no entity to assign a CVE you should ask MITRE directly for one via the web form:

Additionally for CVE requests for OpenSource software that are for public issues you can also request them via the Publicly on the list currently.

How to write a CVE request:

MITRE maintains a CVE request web form at and the DWF maintains one at which show what information is required and what information is additonally nice to have.

Why doesn't my CVE show up in the database?

The main CVE database is at:

The National Vulnerability database also maintains a CVE data with additional information such as CVSS scoring information.

Both currently rely on Mitre for entries to be created and added. MITRE does not add CVE text until they have researched the issue and written it up. Currently (as of late 2016) MITRE is transitioning to allowing CVE Numbering Authorities (CNAs) to submit CVE description text.

Why was the CVE assigned days/weeks/months before going public?

Mitre has a "Date Entry Created" field in their database, this is the date the CVE was either assigned by Mitre to a specific issue, or the date that CVE was given by Mitre to another organization (such as Red Hat) for future use. For example CVE-2015-0201 through CVE-2015-0300 were assigned on November 14, 2014 to Red Hat, as of late January 2015 Red Hat has only used approximately half of these. For more information on this and the other fields please see


CVE assignment documentation







No releases published


No packages published