| Vulnerabilities | Checklists | 800-53/800-53A | Product Dictionary | Impact Metrics | Data Feeds | Statistics |
| Home | SCAP | SCAP Validated Tools | SCAP Events | About | Contact | Vendor Comments |
|
|
||||||||||||||
|
NVD contains:
| 55102 | CVE Vulnerabilities |
| 202 | Checklists |
| 231 | US-CERT Alerts |
| 2692 | US-CERT Vuln Notes |
| 8140 | OVAL Queries |
Last updated: 02/16/13
CVE Publication rate:
14 vulnerabilities / dayNVD provides five mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
What is NVD’s purpose?
NVD was created because it has a unique mission and mandate, provides previously unavailable technical capabilities, and offers needed support for a variety of vulnerability standards. As far as mission and mandate, the United States President issued the National Strategy to Secure Cyberspace which gave the Department of Homeland Security (DHS) the mandate to warn the public about vulnerabilities in computer systems. NVD helps DHS fulfill that mission by offering official vulnerability information on all known computer vulnerabilities. As far as technical capabilities, NVD provides this information via a fine-grained search engine while integrating all publicly available U.S. government vulnerability resources. All of this information is given away for free with no licensing restrictions through XML and RSS feeds. Statistics on the nature of these vulnerabilities are provided through the NVD statistics engine. This service allows users to assess changes in vulnerability discovery rates within specific products or within specific types of vulnerabilities. As far as standards support, NVD is the only database that is completely based upon the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary. It is the only database providing Common Vulnerability Scoring System (CVSS) scores for all CVE vulnerabilities. And it is the only vulnerability database that integrates Open Vulnerability Assessment Language (OVAL) queries.
What is the difference between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
NVD is the CVE standard augmented with additional analysis, a database, and a fine grained search engine. NVD is a superset of CVE. NVD is synchronized with CVE such that any updates to CVE appear immediately on NVD.
What is the relationship between NVD and the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary?
There is no formal relationship between NVD and CVE, however, both projects are sponsored by the Department of Homeland Security’s US-CERT. NVD depends completely upon CVE and without the hard work of the CVE staff, NVD could not operate.
How can my organization use NVD data within our own products and services?
All NVD data is freely available from our XML feeds. There are no fees, licensing restrictions, or even a requirement to register. See http://nvd.nist.gov/download.cfm for more information.
Why does the NVD search engine return hyperlinks to non-NVD vulnerability resources?
NVD integrates together all publicly available U.S. government vulnerability resources within a single search engine. Thus, when you do a search, NVD returns all relevant U.S. government hyperlinks. NVD always returns an NVD vulnerability summary for each CVE vulnerability. The "Resource Status" section on the NVD left bar shows how many non-NVD U.S. government vulnerability resources are integrated into NVD. Note that NVD also contains large numbers of industry vulnerability references within the NVD vulnerability summaries.
What is the purpose of the statistics engine?
The NVD statistics engine allows one to generate statistics on vulnerability trends over time. One can track particular products or vendors. Alternately, one can track sets of vulnerabilities with particular attributes (such as remotely exploitable buffer overflows). The most important usage of the statistics engine is to look at the past history of a product as an indicator to see whether or not it is likely to be vulnerable in the future. For example, the statistics engine has revealed that some major software vendors have exponentially increasing numbers of vulnerabilities being discovered in their products every year while the vulnerability discovery rate for other software vendors is staying steady or falling. One should consider not purchasing products that are showing to continually be vulnerable (especially those that have many high severity vulnerabilities).
How should I use the Common Vulnerability Scoring System (CVSS) scores provided by NVD?
The CVSS scores within NVD can be used to prioritize how an organization handles vulnerabilities. For example, vulnerabilities with scores of 7 and greater should be addressed with great rapidity (possibly through an expedited change management process) while vulnerabilities with scores of less than 3 can usually be addressed through one's regular patching process. In addition, one can click on a CVSS score within NVD to bring up a scoring calculator that will allow users to understand how the score was created and to customize the score for the user’s organization.
How are Linux vulnerabilities handled within NVD?
Linux distributions are often made up of a large collections of independently developed software and it is sometimes difficult to determine which software packages should be considered part of the operating system and which should be considered independent but merely included along with the operating system. In addition, some vulnerabilities occur within the Linux kernel and for those vulnerabilities we do not enumerate all of the hundreds of Linux distributions.
How does NVD assign vulnerability severity scores?
NVD uses the Common Vulnerability Scoring System (CVSS). CVSS is an open standard for assigning vulnerability impacts that is used by a variety of organizations. NVD is the only repository of CVSS scores for all CVE vulnerabilities. See http://nvd.nist.gov/cvss.cfm?version=2 for more information.
How often is NVD updated?
NVD is updated immediately with raw vulnerability information whenever a new vulnerability is added to the Common Vulnerabilities and Exposures (CVE) standard dictionary of vulnerabilities. These raw vulnerabilities are then analyzed by NVD analysts and augmented with vulnerability attributes (e.g. vulnerable version numbers) within hours on normal U.S. government business days.
How often are the NVD RSS and XML feeds updated?
The RSS feeds and “recent” and “modified” XML files (nvdcve-recent.xml and nvdcve-modified.xml) are automatically updated every 2 hours. The XML files that contain all vulnerabilities in a particular year are updated once per day between 1-3 a.m. EST.
How many days worth of data are contained in the “recent” and “modified” XML files (nvdcve-recent.xml and nvdcve-modified.xml)? These files contain eight days worth of new or modified vulnerabilities. The “recent” file includes all recently published vulnerabilities. The “modified” file includes all recently published and recently updated vulnerabilities.
How do I link into NVD from my security product or service?
See http://nvd.nist.gov/download.cfm#linking.
How do I put an NVD search engine on my web site?
See http://nvd.nist.gov/download.cfm#searchengine
Are vulnerabilities ever deleted from NVD?
No. Vulnerabilities that are rejected by the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary (e.g. because they are duplicates) are labeled as such in the description with an explanation of the problem. The vulnerability attribute fields are then cleared. The NVD web site will always show a web page for rejected vulnerabilities if you send that CVE name in the URL but will never include them in a search result. In the NVD XML feed, rejected vulnerabilities have the “reject” attribute within the entry field equal to “0”.
I am a software vendor and want to dispute that a vulnerable exists. What should I do?
NVD is completely based upon the Common Vulnerabilities and Exposures (CVE) standard vulnerability dictionary. Thus, to dispute a vulnerability, one should contact CVE at cve@mitre.org (and carbon copy NVD at nvd@nist.gov in the email). CVE will correct the problem (or mark the vulnerability as “vendor disputed”) and NVD will automatically update with the new information.
I have found an error within an NVD Vulnerability Summary. What should I do?
Send an email to nvd@nist.gov with an explanation of the error and any relevant details (e.g. sources of information that demonstrate the error).
How does NVD assign impact types to vulnerabilities?
NVD assigns vulnerabilities the following impact types: confidentiality ("allows unauthorized disclosure of information"), integrity ("allows unauthorized modification"), availability ("allows disruption of service"), and security protection ("provides unauthorized access"). The "provides unauthorized access" category refers to getting some sort of general privileges in the application or entire computer (e.g., getting "root access" or an application account). This category has three possible subcategorizations: one for user level access to the operating system, another for getting administrator privileges, and another for some other type of privileged access.
Note that NVD only records what impact types a vulnerability directly allows. Many vulnerabilities give an attacker general privileges on a computer or within an application (e.g., the ability to execute code). With that privilege, an attacker can always violate confidentiality, integrity, and availability. We don't denote this within NVD for two reasons: #1 it should be obvious that this is true, #2 the fact that some vulnerabilities (usually buffer overflows) allow both direct violation of confidentiality, integrity, or availability (usually availability) and then also allow one to gain general "unauthorized access" and we want to be able to denote that fact. Lastly, if we labeled each "provides unauthorized access" vulnerability with "allows unauthorized disclosure of information" it would obscure within the search engine those vulnerabilities that are special in that they disclose information but don't give general access.
Disclaimer Notice & Privacy Statement / Security Notice
Send comments or suggestions to nvd@nist.gov
NIST Computer Security Resource Center (CSRC)
NIST is an Agency of the U.S. Dept. of Commerce
Full vulnerability listing