The CVE Program is announcing two major changes that will take place in 2022:

1. The main format for submission and publishing of CVE Records, CVE JSON 4.0, is being upgraded to a new, richer format: JSON 5.0.
2. Legacy CVE List download file options are being replaced with a single supported download format: JSON.

These changes are being announced now to ensure CVE Numbering Authorities (CNAs), CVE consumers such as tool vendors, and other stakeholders, can begin preparing for this important transition.

CVE Record JSON Upgrading to Version 5.0 in 2022

To begin the transition, the CVE Program will introduce CVE JSON 5.0 in late spring 2022. During the transition period, the CVE Program will support both JSON 5.0 and JSON 4.0 CVE Record submission and download. The transition is scheduled to be completed by summer 2022.

CVE JSON 5.0 is a major upgrade to JSON 4.0 that further normalizes and enriches how CVE information is presented. It adds several new data fields to CVE Records. In addition to the required data of CVE ID number, affected product(s), affected version(s), and public references, JSON 5.0 CVE Records will now include optional data such as severity scores, credit for researchers, additional languages, affected product lists, additional references, ability for community contributions, etc. This optional data will enhance CVE Records for both downstream users and the overall vulnerability management community.

Learn more about How the New CVE Record Format Is a Game Changer.

Required Changes for CNAs

With support for CVE JSON 4.0 submission being discontinued in early summer 2022, CNAs should now be getting familiar with the new JSON 5.0 schema.

Early in 2022, CNAs should be looking for future communications on the JSON 5.0 Adoption Process from the CVE Secretariat and CVE Working Groups (e.g., the Automation Working Group and the Quality Working Group).

CNAs will have the opportunity to review legacy records and test/examine the new automation services that will allow them to publish and update JSON 5.0 CVE IDs in a more timely/automated manner.

What This Change Means for CVE Consumers

CVE consumers should also be getting familiar with the CVE JSON 5.0 format. They will begin seeing JSON 5.0 CVE Records published on the CVE website in the JSON 5.0 format by late spring 2022.

CVE List Download Options Changing to JSON-ONLY in 2022!

As a result of the transition to JSON 5.0, beginning in summer 2022, the CVE List download options currently provided by the CVE Program (i.e., CSV, HTML, XML and CVRF) will no longer be supported.

After the JSON 4.0 retirement date (which will be announced/confirmed in spring 2022), the CVE List (as of that date) in all JSON 4.0 supported formats will be available in an archive and the CVE List will be downloadable only in JSON 5.0 format.

This change is to ensure data in all required and optional data fields of CVE Records in JSON 5.0 are included in the CVE List downloads. The CVE website will also display CVE Records in JSON 5.0 format.

What This Change Means for CNAs and CVE Consumers

• There will be no direct impact to CNAs regarding the download format changes unless they are also downstream CVE consumers.
• CVE consumers such as tool vendors, researchers, and others will need to ensure that their internal processes are prepared for ingesting JSON-only content beginning in spring 2022.

You can also start getting up to speed on the new JSON 5.0 format with the following resources:

• JSON 5.0 CVE Record Structure Mind Map
• CVE Record Format JSON 5.0 Schema
• CVE Record in JSON 5.0 Format Basic Example
• CVE Record in JSON 5.0 Format Advanced Example
• Schema Documentation

Comments or Questions?

If you have any questions about this announcement, please respond to this email or use the CVE Program Request forms and select “Other” from the dropdown menu.