CVE Services

Links that redirect to external websites will open a new window or tab depending on the web browser used.

CVE Services: Automated ID reservation and record publishing

The CVE Program provides a self-service web interface for reserving CVE IDs and publishing CVE Records. With CVE Services, CVE Numbering Authorities (CNAs) save time and reduce costs by directly and efficiently managing their own CVE content.

To begin using the services, you’ll need to:

  1. Obtain account credentials
  2. Choose and begin using a web-based or command line client (for interacting with the services)

Below you will find an overview with current version and status, information on how to obtain credentials for using the services, a workflow tutorial, demos of the clients used to interact with the services, and more.

CVE Services Overview

CVE Services are the CVE Program’s automated tools for CVE Numbering Authority (CNA) ID reservation and record publication. CVE Services uses the CVE Record Format, as noted below.

Current Status

Known Issues

CVE Record Retrieval returning over 500 records may return incomplete results

Added: 4/14/2023 — In a situation where the following conditions are present: (1) A CNA submits a request for a CVE Record lookup that results in over 500 records being returned, AND (2) that CNA owns records that are being updated (either by the CNA or the Secretariat) at the exact instance the retrieval is processing. The results returned may not be complete (i.e., one record may be dropped). It is suggested that if CNAs are repeatedly retrieving more than 500 records from CVE Services (using the GET /cve-id endpoint), that they contact the Secretariat for guidance on how best to implement/use this function in their client.

NOTE: Please report any anomalous behavior in CVE Services to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io. Questions about your chosen CVE Services Client should be directed to the client developers (learn more here).

CVE Services Architecture

The CVE Services architecture includes three components, as shown below. CNAs will use CVE Services Clients to interact with the components from a single interface .

CVE ID Reservation (IDR) Service

  • Direct and on-demand CVE ID reservations
  • Reserve any number of CVE IDs, in sequential or non-sequential order

CVE Record Submission and Upload Service (RSUS)

  • Populate details of a CVE Record
  • Submit a CVE Record for publication on the CVE List
  • Update CVE Records on-demand

CVE Services User Registry

  • Authenticates and manages the users of the services for CNA organizations

For a detailed explanation of CVE Services and the services architecture, watch the “Introduction to CVE Services (2022)” and “CVE Services (2023)” videos. For the most recent updates, watch the “CVE Services Infrastructure Updates (2024)” video.

CVE Record Format

CVE Services uses the CVE Record Format (view schema ReadMe), which normalizes and enriches how CVE information is presented, and adds optional data fields to CVE Records, such as: severity scores, credit for researchers, additional languages, affected product lists, additional references, ability for community contributions, etc.

For additional information, visit the cve-schema repository on GitHub or watch the “CVE JSON 5.x: Introduction/Guidance/Q&A (2022)”, “CVE JSON 5.x Guidance (2023),” and “CVE JSON 5.0 Experiences (2023)” videos:

Current Version of CVE Record Format Schema

The current official version of the CVE Record Format Schema in CVE JSON is Version 5.1.1.

A single schema file with bundled dependencies is available in the cve-schema repository on GitHub.

Obtaining CVE Services Account Credentials

Only CNAs with an active CVE Services User Account (with valid credentials) are eligible to use CVE Services. CNA organizations MUST have one or more Organizational Administrators (OAs) and may have any number of individual user accounts.

Separate credentials are required for the “CVE Services Test Instance.” Please use the same process provided below to obtain services account credentials, but specify that you are requesting credentials for the test instance.

Organizational Administrators

Each CNA has one or more CVE Services OAs that will be responsible for:

  • Managing CVE Services Accounts for the CNA (i.e., creating/deactivating CVE Services Account, resetting user credentials)
  • Affirming that each user to whom they grant an account is authorized to manage CVE Records
  • Ensuring that there is individual accountability for actions taken by CVE Services users from that CNA:
    • CVE Services require individuals to authenticate for each transaction and performs individual user logging
    • However, if it is the case that a CNA is using a common account (which is highly discouraged) from which to publish/manage CVE Records, it is the responsibility of that CNA’s OA to maintain individual accountability of who has performed CVE Services transactions on behalf of that CNA

To obtain CVE Services Organizational Administrator (OA) credentials, CNAs should contact their Root (CISA ICS, Google, INCIBE, JPCERT/CC, Red Hat, or Thales Group), or their Top-Level Root (CISA or MITRE).

Individual CNA Users

CNA users obtain accounts through an account request to their CNA’s CVE Services OA. Once granted, the user will receive three pieces of information that will be used to authenticate each CVE Services request:

  1. User ID: Often this is the person’s email address.
  2. CNA Short name: An alphanumeric string that is used to reference the CNA that the user is representing. This name must match the “short name” in the CVE Services database.
  3. API Secret: A randomly generated alphanumeric string that will be used to authenticate the user. Each account (i.e., user) has a unique API Secret. These API keys are often used in scripts and custom code and the keys should be adequately secured.

Watch the “How to Get a CVE Services Account (for CNAs only)” video:

CVE Record Workflow

CVE Services is the CVE Program’s automation infrastructure that allows CNAs to submit and manage the CVE Records that they produce. CVE Records submitted through CVE Services are published to the CVE List on an hourly basis.

The CVE Services API allows authenticated CNA personnel to reserve CVE IDs and populate, submit, and update CVE Records. That workflow is described in the “CVE Record Workflow Overview Tutorial” video below:

Learn about CVE Record hygiene in this video:

Learn how to use CVE Services to retrieve a list of your RESERVED CVE IDs here.

All CNAs must ensure their staff are using CVE Services correctly and responsibly. Please use the Testing infrastructure to familiarize your team BEFORE attempting to use Production CVE Services. Your CVE Services OA can manage credentials for your staff to access the test environment.

The Test CVE Services is available using the CVE Services Clients below, or directly via the API. When working with CVE IDs and CVE Records in the Test system, you can review your results in the TEST.CVE.ORG website. This is very helpful to ensure your Record content will be correct and complete when you move to production.

WARNING: All content you publish to Test is PUBLIC. Use fake data for Record content in Test. Do not leak embargoed vulnerability details.

After training using Test, you can also use the Test environment for ensuring changes you make in your Record content will look correct (using fake data). After successfully using Test, you can use Production CVE Services to publish, update, or reject CVE Records.

Using CVE Services Clients

CVE Services Clients are used to reserve CVE IDs and populate, submit, and update CVE Records.

How the Clients Work with CVE Services

CVE Services Clients are used to reserve CVE IDs and populate, submit, and update CVE Records.

Currently available CVE Services clients:

cveClient

  • A rudimentary CVE Record editor/submission that has recently been developed to simplify the creation and submission of CVE Records
  • Can be downloaded and installed as a server, or it can be accessed via a website
  • Supports user account management

cvelib

  • A simple library and command line interface (CLI) for the CVE Services API
  • Can be integrated into an existing vulnerability management infrastructure or be used as a stand-alone CLI
  • Supports user account management

Community-Developed Tools and Resources

The tools and resources noted below are created by the community, for use by the community, in support of the CVE Services clients and CVE JSON. Note that the CVE Program does not maintain any of the items listed below. Please contact the maintainer of a tool or resource directly with any comments or concerns.

  • cvelint – A command line interface tool that validates CVE Records for possible errors in the CVE JSON schema that are neither enforceable by a schema, nor validated on the backend in CVE Services, when a CVE Record is created/updated. cvelint is hosted on GitHub. View the cvelint ReadMe.
  • CVE CNA Bot – This GitHub action validates CVE JSON records and (optionally) submits them to the CVE RSUS service. View the CVE CNA Bot ReadMe.

Build Your Own CVE Services Client

If a CNA or individual is interested in fielding its own CVE Services client, the CVE Services Server API documentation will provide the interface specification to allow you to develop your own client. Use the CVE Services “test environment” to explore capabilities and confirm your scripts BEFORE using production.

CVE Services API

Test:

Production:

To support CVE Services Client development, the documentation offers an abstract example of the data to submit to these endpoints. Additionally, concrete examples of the data (referred to as a “CNA Container”) to submit via a POST /cve/{id}/cna endpoint (or PUT /cve/{id}/cna endpoint) can be found at the following links:

Test Environment

A CVE Services “Test Environment” consisting of the CVE Services test instance API noted above and a CVE website test instance is available for partners to test the integration of CVE Services into their existing vulnerability management infrastructures.

By using the test environment, which is completely separate from the official CVE Services, CNAs can assign test CVE IDs and publish and edit test CVE Records and view them on the test CVE website with no impact on their official CVE IDs or CVE Records. Partners wishing to develop their own CVE Services clients can also use the test environment to verify that their client is working properly.

The test environment provides for unlimited self-training and process testing as organizations use CVE Services and CVE JSON.

A separate set of “test” credentials is required for access. Learn how to acquire test credentials here.

Additional Resources

CVE Services resources hosted on GitHub:

CVE Record Format resources hosted on GitHub:

CVE Download files in CVE Record Format:

Other helpful resources:

Help

Questions from CNAs about the CVE Services API can be posted to the CVE Program #cve-services SLACK channel (request an invite through the CVE Program Request web forms and use the “Other” form). This channel is monitored 9:00 a.m. – 5:00 p.m. ET by CVE Services developers who can answer some of your technical questions about the interface.

CNAs may also send questions to the CVE Program Secretariat through the CVE Program Request Web forms (use the “Other” form).

Questions about your chosen CVE Services Client should be directed to the client developers.

Provide feedback for this page