CVE - CVE and NVD Relationship

CVE and NVD Relationship

CVE and NVD Are Two Separate Programs

The CVE List was launched by MITRE as a community effort in 1999, and the U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST) in 2005.

CVE - A list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Entries are used in numerous cybersecurity products and services from around the world, including NVD.

NVD - A vulnerability database built upon and fully synchronized with the CVE List so that any updates to CVE appear immediately in NVD.

Relationship – The CVE List feeds NVD, which then builds upon the information included in CVE Entries to provide enhanced information for each entry such as fix information, severity scores, and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

While separate, both CVE and NVD are sponsored by Network Security Deployment, National Cybersecurity and Communications Integration Center in the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Division at the U.S. Department of Homeland Security, and both are available to the public and free to use.

Page Last Updated or Reviewed: January 30, 2019

Use of the Common Vulnerabilities and Exposures (CVE®) List and the associated references from this website are subject to the terms of use. CVE is sponsored by NSD, NCCIC in CISA’s Cybersecurity Division at the U.S. Department of Homeland Security. Copyright © 1999–2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.