Leading Software Vendors and Cybersecurity Organizations Among Early Adopters of MITRE's New Vulnerability Naming Format

MCLEAN, Va., September 17, 2014The MITRE Corporation has announced that several leading software vendors and cybersecurity organizations are now consuming or producing Common Vulnerabilities and Exposures (CVE®) Identifier numbers—also called "CVE-IDs"—in the new numbering format. By taking this important step, these organizations ensure that their products, tools, and processes that use CVE will continue to work properly once CVE-ID numbers are issued using the new syntax, which could happen before the end of 2014, and no later than Tuesday, January 13, 2015.

CVE is the worldwide standard for information security vulnerability names, and the CVE List provides a dictionary of common names for publicly known information security vulnerabilities in software. MITRE operates CVE on behalf of and with the sponsorship of US-CERT in the office of Cybersecurity and Communications in the U.S. Department of Homeland Security.

The syntax of CVE-ID numbers (e.g., CVE-2014-0160, which had four digits at the end) was changed in January 2014 to accommodate five, six, or more end digits so that CVE can track 10,000 or more vulnerabilities for a given calendar year. The previous four-digit restriction only allowed up to 9,999 vulnerabilities per year, but a change was needed to keep pace with the growing number of vulnerabilities being reported annually. It is possible that 10,000 CVE-IDs will be necessary before the end of 2014.

If the format change is not implemented in a timely manner, it could significantly impact CVE users' vulnerability management practices. To encourage industry and other CVE users to accommodate the new format, MITRE is recognizing those organizations that have declared that they are, or will be, compliant with the new CVE-ID numbering format.

Early adopters of the new CVE-ID format include: Adobe; CERIAS at Purdue University; CERT Coordination Center (CERT/CC); CERT-IST; EMC Corporation; High-Tech Bridge SA; IBM; ICS-CERT; Information-technology Promotion Agency, Japan (IPA); Japan Computer Emergency Response Team Coordination Center (JPCERT/CC); LP3; Microsoft Corporation; National Institute of Standards and Technology, National Vulnerability Database (NVD); NSFOCUS; Oracle; Red Hat, Inc.; SecurityTracker; SUSE LLC; and Symantec Corporation.

"We are assigning new CVE-IDs at an unprecedented rate," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "It's too close to call right now, but we could exceed the four-digit limit before the end of this year. If we need more than 9,999 CVE-IDs in 2014, we will follow the new syntax and start using five-digit CVE-IDs. If organizations don't update to the new CVE-ID format, their products and services could break or report inaccurate vulnerability identifiers, making vulnerability management more difficult. To make it easy to update, we have added a section on the CVE website that provides free technical guidance and test data for developers and consumers to use to verify that their products and services will work correctly."

The CVE dictionary contains more than 63,000 unique entries. Products, services and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.

"The clock is ticking," added Steve Boyle, principal information security engineer at MITRE and CVE program manager. "Even if we don’t have to move to the new syntax before the end of 2014, we will ensure that we issue at least one five-digit CVE-ID by Tuesday, January 13, 2015. All organizations that use CVE-IDs need to take action now to make the upgrade before this rapidly-approaching deadline."

About The MITRE Corporation

The MITRE Corporation is a not-for-profit organization that operates research and development centers sponsored by the federal government. Learn more about MITRE.