CVE Records Keep Getting Better and Better
About a year ago, CVE Records underwent a major transformation and now include significantly enhanced information about the cybersecurity vulnerabilities they describe. Gone are the days when a CVE Record was just an ID, a brief free form description of the vulnerability, and one or more advisory or blog post references. Today, details that were previously squeezed into the description field of a record, particularly affected products and versions, are now provided in a structured format in dedicated fields within the CVE Record. Optional content fields are also now available for severity scores, CWE IDs, researcher credit, and more, making CVE Records even more valuable.
The new structured format provides the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable. It also enables the creation and publication of CVE Records to be automated, which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community.
In this article, we’ll look at the improvements the CVE Program has made that led to this signpost moment, review an example of a CVE Record in the new format, and discuss how the CVE Program continues to evolve to better serve its partners and the worldwide cybersecurity community.
Some History
The CVE Program began in 1999 with 321 CVE Records on the CVE List. There are now 200,000+ CVE Records available on the CVE.ORG website with more added almost daily. Until 2022, each record contained only three basic components: CVE ID, brief free-form description of the vulnerability, and one or more references. But that changed in recent years when the CVE Program and its CVE Numbering Authority (CNA) partners (325+ from 37 countries!) decided that the process of reserving CVE IDs and publishing the associated CVE Records needed more automation.
An automation pilot that used the existing data format revealed that an all-new record format would be needed to ensure all relevant vulnerability data could be included in a record as well as be easily consumed by a downstream user. Working groups were stood-up, and after a sufficient period of time, the CVE Program’s new format for CVE Records, “CVE JSON 5.0,” as well as automated “CVE Services” for CVE ID reservation and CVE Record publication and management for CNAs, were launched in October 2022 in beta and fully adopted by the program in March 2023.
CNAs now have the tools they need to produce more quality CVE Records faster without the need for manual intervention, and consumers have CVE content that is both human- and machine-readable.
Example of the New Format for CVE Records
Today’s CVE Records are significantly enhanced and include more information than ever before. While the CVE JSON 5.0 schema on GitHub provides all the details of what’s required and optional in a CVE Record, the example CVE Record below shows how these structured fields look when published as a web page on the CVE.ORG website.
The CVE ID is located at the top of the web page along with the status of the record (i.e., Reserved, Published, or Rejected). The title field is new. There’s an assigner field for the name of the CNA. The description field is now used for any content the CNA wishes to include that’s not specified in the other structured fields of the record or for a brief summary of the vulnerability. Product Status, which specifies affected products and versions, is now a standalone section of the record. Help information about how the versions are presented is included in each record published as a CVE.ORG web page. The credit field is new. The references section will include at least 1 link, such as in this example, which is a link to the CNA’s own advisory. That advisory may include even more information about the vulnerability that as a result of the CNA’s internal automated vulnerability management infrastructure did not, or will not, migrate to the CVE Record. A courtesy link to the U.S. National Vulnerability Database (NVD) entry for the record is also provided. Finally, note that the JSON for the record is also available to view from the top of every record web page.
A major change in the new format is how CNAs use the description field. As shown in the example above, much of the information that was previously included in the legacy record format’s free-form description field has been moved to dedicated fields within the structure of the new format.
However, we still need to promote this message. Although the CVE Program moved to the new CVE.ORG website in 2021, the legacy CVE.MITRE.ORG website (scheduled for retirement on July 1, 2024) is still in use while vulnerability databases, cybersecurity tool vendors, and other users transition to the new CVE JSON 5.0 format for records. This means anyone still using CVE Record data from that legacy website could be missing significant data about the vulnerability as the records on that site have been down converted from the new format to the old record format and it’s not a 1:1 conversion because of all the new fields in the new structured format. In fact, this may have been the case with the vulnerability researcher who wrote a commentary on Dark Reading a few months ago saying that CVE Records descriptions from some CNAs had become too short and were no longer useful. The links in his examples were all NVD links for their versions of the CVE Records, and NVD continues to use the down converted version for its own CVE content, so he was definitely not seeing the most complete data for each of those records when viewing them on NVD.
Many of these changes and enhancements to CVE Records are discussed in more detail in the “We Speak CVE” podcast episode entitled, “How the New CVE Record Format Will Benefit Consumers.”
We highly encourage all cybersecurity professionals to view, download, and use CVE Records from the CVE.ORG website so you can fully leverage the new CVE Record format and enjoy all its benefits.
More CVE Program Enhancements on the Way to Benefit Creators and Users of CVE Records
The CVE Program is currently working on a new version of its “CNA Rules” document that will focus on the new and optional fields in the new CVE Record format. This document, which provides guidance and best practices to CNAs on how to create and populate CVE Records, is expected to be published in 2024. Once released, it will provide clarity for CNAs, vulnerability researchers, and the wider vulnerability management community about how vulnerability data should be included within the structured fields of the new CVE Record format.
Another revolutionary development for CVE Records is that, in the near future, certain authorized entities will be eligible to add enhanced data to records that have been previously published by a CNA. Initially introduced to the community as a concept in 2021 in a We Speak CVE podcast episode entitled, “Enhancing CVE Records as an Authorized Data Publisher,” now that the new CVE Record format and automated CNA services are fully available, a pilot program for “Authorized Data Publishers (ADPs)” has begun and will continue into 2024. The types of content that ADPs could add to enrich the content of the previously published records includes additional risk scores, affected product lists, versions, references, translations, and so on. Such additions will enrich the content of CVE Records and further improve their value to consumers.
This is an exciting time for the CVE Program, its partners, and the users of CVE Records as the value and usability of the vulnerability data contained in the records improves, and more and more CNAs from around the world partner with the program to produce more quality CVE Records faster.
