CVE Services are the CVE Program’s automated tools for CVE Numbering Authority (CNA) ID assignment and record publication. CVE JSON is the format used by CNAs for publishing CVE Records.

Any CNA may use the CVE Services. See “CVE Services CNA sign-up” below for details.

Services Overview

CVE Services is a CVE Program Web Application that allows members of the CVE Number Authority (CNA) community to reserve CVE IDs and publish/update/reject CVE Records 24/7. It is meant to fully automate the CVE Record publication process that is used today that often involves significant manual intervention and maintenance.

CVE Services 2.1 — In 2022, the CVE Program adopted CVE Services 2.1, which is a major upgrade that includes the CVE Record Submission and Upload Service (RSUS) and the new CVE JSON 5.0 data format. With the deployment of CVE Services 2.1, CNAs are able to perform the most common CVE Program functions in a more efficient manner, obtaining results in the matter of minutes.

Watch the Introduction to CVE Services video.


The CVE Services architecture includes the following components:

  1. CVE ID Reservation (IDR) service – enables CNAs to directly reserve any number of CVE IDs, in sequential or non-sequential order, for CVE ID assignments by the CNA
  2. CVE Record Submission and Upload (RSUS) service – enables CNAs to directly populate the details of their CVE Records and upload them for publication to the CVE List
  3. CNA User Registry – authenticates and manages the users of the services for CNA organizations

CVE Services CNA sign-up

The CVE Program recommends that CNAs have a CVE Services Organizational Administrator (OA) Account adminstrator for its CVE Services account. The OA registration form maybe be requested your Root.

How to request credentials:

  • If your organization already has an Organizational Administrator (OA) account for the CVE Services, ask your admin for credentials
  • Contact your Root (Google, INCIBE, JPCERT/CC, or Red Hat) or Top-Level Root (CISA ICS or MITRE) and request credentials

Additional information about requesting credentials is here or watch the How to Get a CVE Services Account video.

CVE Services Clients

CVE Services is implemented as a client/server architecture. This enables CNAs to adopt an already existing client and install and execute it in their own environment to assign CVE IDs and create and submit CVE Records.

Three clients are currently available for use as part of CVE Services/JSON 5.0 deployment:

You may also build your own client for the CVE Services API:

Resources on GitHub

JSON Overview

CVE JSON is the format used by CNAs for publishing CVE Records. In 2022, the CVE Program will adopt CVE JSON 5.0, which is a major upgrade to JSON 4.0 that further normalizes and enriches how CVE information is presented. It adds several new data fields to CVE Records. In addition to the required data of CVE ID number, affected product(s), affected version(s), and public references, JSON 5.0 CVE Records will now include optional data such as severity scores, credit for researchers, additional languages, affected product lists, additional references, ability for community contributions, etc. This optional data will enhance CVE Records for both downstream users and the overall vulnerability management community.

Watch the CVE JSON 5.0 demo.

Resources on GitHub

Additional Resources

Other helpful resources are hosted on the main CVE website: