Skip to content
This repository has been archived by the owner. It is now read-only.
Go to file

Latest commit


Git stats


Failed to load latest commit information.

Distributed Weakness Filing (DWF) Project

The Distributed Weakness Filing (DWF) Project is the first federated CVE Number Authority (CNA). The DWF will initially deal with assigning CVEs for Open Source software (as defined by OSI approved Open Source licenses and similar licenses). The DWF will assign CVEs for valid security vulnerabilities using the same or very similar processes as Mitre and other CVE Numbering Authorities currently use.

Getting a CVE Identifier from the DWF for your security vulnerability(s)

We are currently deciding on process for this, in the mean time you can submit an issue via the form at

Becoming a CVE Mentor

The first step is to contact us, email is good (see our contact info), or file an issue. To get involved with the DWF as a CVE Mentor you MUST accept the Contributor Covenant.

Becoming an Open Source CNA (CVE Numbering Authority)

To become an Open Source CNA you must meet the following requirements:

  1. Fill out a CNA application form (form to be created)

  2. Agree to the CNA Rules at

  3. Find at least one or more CVE Mentors willing to work with you, they can be internal to your organization/project or an external person.

Assigning a CVE for the DWF

If you are assigning CVEs on behalf of the DWF please consult the CVE Assignment HOWTO.

Primary Documents

This is the MITRE Terms of Use for CVE data, if you want to submit data to CVE you must agree to these Terms of Use.

The primary source for this document is:

This is the DWF Contributor Agreement, if you want to participate withint the DWF as a CVE mentor or CNA you must accept this agreement.

The primary source for this document is:


This is the MITRE Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules , if you want to be a CNA you must read this and accept these guidelines.

The primary source for this document is:

Please note that a draft version of the 2.0 guidelines are now available here:

Git Repo layout


This repo contains the documentation.



This repo contains the Master CVE Database which consists of the CVE Year, start of range, end of range, length of range and where this block is stored (e.g. which Git repo). When you want to find a CVE you can look here to find the repo it exists within.


This repo is going to be removed in future, we will be moving to a forked copy of


This repo contains a list of CVE Mentors, mentors may be affiliated with none, one, or more CNAs. CVE Mentors are not required to assign CVEs, they may for example be involved for example primarily in training other CVE Mentors or providing supporting to other CVE Mentors.



This is the DWF CNA registry, it is basically just a list of CNAs and their CVE Mentor(s) and the CVE ID blocks they use. Every CNA must have one or more CVE Mentors that work with them.



This repo contains legal acceptance from people who are not yet CVE Mentors or CNAs withint the DWF.



DWF Documentation, Policy and Guides




No releases published
You can’t perform that action at this time.