September 22, 2023

Background on CVE Discovery and Reporting Process


The CVE system identifies specific vulnerabilities and exposes them to the public. It works with the CWE to enhance software security by pinpointing coding errors, design flaws, and implementation oversights.


The process begins when someone discovers a vulnerability and reports it to a CVE program partner. CVE numbering authorities (CNAs) can assign an ID to the vulnerability.


CVE is a standardized identifier system that catalogs cybersecurity vulnerabilities and exposures. It allows security researchers, vendors, and customers to identify and address vulnerabilities across different platforms, operating systems, and products.

Once a vulnerability is discovered, the person or organization that discovers it files a report with a CVE program partner. This person or organization is a CVE Numbering Authority (CNA). CNAs are IT vendors, security companies, and research organizations that are trusted with assigning CVE identification numbers to vulnerabilities they discover.

When a new CVE is assigned, the CNA will add it to the National Vulnerability Database (NVD) and submit details, including the type of vulnerability (e.g., buffer overflow, remote code execution), the software affected by the vulnerability, and the impact of the vulnerability. Vulnerabilities are also rated using an open standard, the Common Vulnerability Scoring System (CVSS).


Keeping track of cyber security threats requires a process for recognizing and validating a threat, adding it to shared global databases, and discovering solutions. The CVE discovery and reporting process includes several global people, organizations, and resources. People working at technology companies, independent researchers, and those studying open-source software find and report vulnerabilities.

When a vulnerability is discovered, the person or organization responsible for finding it reports it to a CVE program participant. A CVE ID is reserved for the reported vulnerability, and information about it is published in a CVE Record.

A CVE Record includes the identification number, a brief description, and public references to additional information. Authorized Data Publishers (ADPs) can enrich the CVE Record with additional information, such as risk scores and lists of affected products.

A CVE is given a severity level, such as high or critical, using the Common Vulnerability Scoring System. The information is published with a timestamp and is linked to solutions, such as patches, provided by vendors.


The vulnerability discovery process involves identifying a threat, alerting the cyber security community, adding it to global databases, and finding solutions.

The first step is to identify a software or hardware system flaw. This can be done manually by researchers or by using automated tools. Once a researcher has found a vulnerability, they must contact the vendor or project responsible for the system and report it.

Once the vulnerabilities have been vetted, they are added to the CVE database. NVD then uses a numbering system to assign CVE IDs to the newly identified threats. The CVE IDs provide a consistent way to reference the vulnerabilities and allow vendors, organizations, end-users, and researchers to collaborate more effectively and efficiently in tracking and mitigating cybersecurity threats. Occasionally, CVE IDs may be updated or changed, so it’s essential to check the NVD often for updates.


Before CVE, cybersecurity tools used their databases and had unique ID names for vulnerabilities, making it hard to tell when different tools referred to the same vulnerability. CVE changed that by providing a common naming system and enabling interoperability between security tools and vulnerability scanners.

A vulnerability is a mistake in software code that gives attackers direct access to a system or network. Exposures, on the other hand, are conditions that make systems more susceptible to attacks or unauthorized access and can lead to data breaches.

You may also like