Vulnerability Taxonomies
CVE
CVE (Common Vulnerabilities and Exposures) is the public identifier system for publicly disclosed cybersecurity vulnerabilities. Maintained by the MITRE Corporation and funded by CISA, each CVE entry assigns a unique identifier in the format `CVE-YYYY-NNNNN` to a specific vulnerability in a specific product.
Definition
CVE (Common Vulnerabilities and Exposures) is the public identifier system for publicly disclosed cybersecurity vulnerabilities. Maintained by the MITRE Corporation and funded by CISA, each CVE entry assigns a unique identifier in the format `CVE-YYYY-NNNNN` to a specific vulnerability in a specific product.
What it means
CVE is the global lingua-franca for vulnerability identification. When a vulnerability is identified — by a researcher, a vendor, or an automated scanner — a CVE Numbering Authority (CNA) can assign it a CVE ID. The CVE entry describes the vulnerability, affected products, and references to public disclosure and patches. CVE entries are stored in the National Vulnerability Database (NVD) where they are enriched with CVSS scores and CWE classifications.
CVE is **not** a severity ranking — it is an identifier. Severity is assigned separately via CVSS. CVE is **not** an exhaustive vulnerability database — only publicly disclosed vulnerabilities receive CVE IDs, and the disclosure path varies (some vendors disclose through their own advisories without requesting CVE IDs).
For Melina advisory work, CVE assignment is part of responsible disclosure: when we identify a vulnerability in a third-party product, we coordinate CVE assignment via the affected vendor's CNA or, where the vendor has no CNA, via MITRE directly.
Related terms
Authoritative sources
- CVE program (MITRE) - National Vulnerability Database (NVD)
---