CVE Services are the CVE Program’s automated tools for CVE Numbering Authority (CNA) ID assignment and record publication. JSON is the format used by CNAs for publishing CVE Records.

Any CNA may use the CVE Services. Please contact your Root to register for a CVE Services Organizational Administrator (OA) Account to begin the process.

Services Overview

CVE Services is a CVE Program Web Application that allows members of the CVE Number Authority (CNA) community to reserve CVE IDs and publish/update/reject CVE Records 24/7. It is meant to fully automate the CVE Record publication process that is used today that often involves significant manual intervention and maintenance.

CVE Services 2.1 — In 2022, the CVE Program will adopt CVE Services 2.1, which is a major upgrade that includes the CVE Record Submission and Upload Service (RSUS) and the new CVE JSON 5.0 data format. With the deployment of CVE Services 2.1, CNAs will be able to perform the most common CVE Program functions in a more efficient manner, obtaining results in the matter of minutes.

Architecture

The CVE Services architecture includes the following components:

  1. CVE ID Reservation (IDR) service – enables CNAs to directly reserve any number of candidate CVE IDs, or blocks of CVE IDs, in sequential or non-sequential order, for CVE ID assignments by the CNA.
  2. CVE Record Submission and Upload (RSUS) service – enables CNAs to directly populate the details of their CVE Records and upload them for publication to the CVE List.
  3. CNA User Registry – authenticates and manages the users of the services for CNA organizations.

Resources on GitHub

CNA sign-up

  • CVE Services Organizational Administrator (OA) Account registration form (request from your Root)

JSON Overview

JSON is the format used by CNAs for publishing CVE Records. In 2022, the CVE Program will adopt CVE JSON 5.0, which is a major upgrade to JSON 4.0 that further normalizes and enriches how CVE information is presented. It adds several new data fields to CVE Records. In addition to the required data of CVE ID number, affected product(s), affected version(s), and public references, JSON 5.0 CVE Records will now include optional data such as severity scores, credit for researchers, additional languages, affected product lists, additional references, ability for community contributions, etc. This optional data will enhance CVE Records for both downstream users and the overall vulnerability management community.

Learn more about How the New CVE Record Format Is a Game Changer.

Resources on GitHub

Additional Resources

Other helpful resources are hosted on the main CVE website: