Frequently Asked Questions (FAQs) about the CVE ID Reservation Service, Record Submission and Upload Service, and CVE JSON 5.0 (i.e., CVE Services 2.1/CVE JSON 5.0) are included below. If you have additional questions, please submit them to the CVE Program Secretariat using the CVE Program Request web forms (select the “Other” form).

What are the CVE Services?

CVE Services is a RESTful CVE Program Web application (and its associated processes) that provides a series of Application Program Interfaces (APIs) for CVE Number Authorities (CNAs) to reserve CVE IDs and submit/update/reject CVE Records directly to the CVE List without the need for manual processing.

CVE Services includes the following components:

  1. CVE ID Reservation (IDR) service – enables CNAs to directly reserve any number of candidate CVE IDs in sequential or non-sequential order, for CVE ID assignments by the CNA
  2. CVE Record Submission and Upload (RSUS) service – enables CNAs to directly populate the details of their CVE Records and upload them for publication to the CVE List
  3. CNA User Registry – authenticates and manages the users of the services for CNA organizations

What is the CVE JSON 5.0 format?

CVE JSON 5.0 is the CVE Program’s format/data schema for CVE Records. The CVE Program is currently in a data format transition from the CVE JSON 4.0 Schema to the CVE JSON 5.0 Schema. You can learn more about the CVE JSON 5.0 schema here.

Will the CVE JSON 4.0 format be deprecated? When?

Yes. The CVE Program’s plan is to deprecate the CVE JSON 4.0 format over time. However, a specific date for CVE JSON 4.0 deprecation has not been set (the CVE Board has yet to make this decision). Both formats, CVE JSON 5.0 and CVE JSON 4.0, will be supported until the yet-to-be-determined CVE JSON 4.0 Sunset Date is reached (see Transition Bulletin #9). We will be in a transition period until that time. The goal of the transition period is to provide community stakeholders with ample time to prepare for the transition to CVE JSON 5.0.

What is the “transition period”?

The Transition Period is the timeframe in which both CVE JSON 4.0 and CVE JSON 5.0 are supported by the CVE Program. The duration of the Transition Period has not been determined yet by the CVE Board, but it is expected to be no earlier than six months after CVE Services “hard deploy” (see What is meant by CVE Services 2.1 “hard deploy”?).

Does RSUS support CVE JSON 4.0 submissions during the transition period?

No. Although the CVE Program will continue to support CVE JSON 4.0 submissions until its Sunset Date through other methods, there are no plans for RSUS to process CVE JSON 4.0 records. If a CNA wishes to submit CVE JSON 4.0 records during the transition period, the CNA must use the currently existing CVE Record Submission methods (i.e., CVEList GitHub Pilot and the CVE Program Request web forms).

After CVE Service 2.1 hard deploy, users can view and download the full CVE List in CVE JSON 5.0 format from a “to be designed” site much like the full CVE List in CVE JSON 4.0 format can be downloaded from the CVE List GitHub submission pilot today.

How can CNAs submit CVE Records in CVE JSON 4.0 during the transition period?

During the transition period, CNAs will continue to submit CVE Records in CVE JSON 4.0 format as they have in the past using the CVEList GitHub Pilot or CVE Program Request web forms.

RSUS will not process CVE JSON 4.0 records.

How can CNAs submit CVE Records in CVE JSON 5.0 format?

CVE Records in CVE JSON 5.0 format may only be submitted through RSUS/CVE JSON 5.0-compliant clients (see Getting Started with CVE Services for a list of currently available clients) during and after the transition period.

IMPORTANT: CVE JSON 5.0 submissions will not be accepted through the CVEList GitHub Pilot or CVE Program Request web forms, which only accept CVE JSON 4.0-format submissions. If CVE JSON 5.0 records are submitted through either of these CVE JSON 4.0-only methods, they will be returned to the submitter. They can be resubmitted in CVE JSON 4.0 format.

How can I view the CVE List in CVE JSON 4.0 format during the transition period?

Searching for CVE Records in CVE JSON 4.0 format will continue to be available at CVE - Search CVE List (cve.mitre.org) during the transition period.

How can I view the CVE List in CVE JSON 5.0 format?

Prior to CVE Services 2.1 hard deploy (see What is meant by CVE Services 2.1 hard deploy?) users can view CVE Records in CVE JSON 5.0 format using the CVE ID Lookup bar located at the top of every page on the www.cve.org website. This function will find a single CVE ID record, render it for viewing, and provide a link to the CVE JSON 5.0 record. (The CVE ID Lookup bar only supports individual record retrieval. It does not support downloads of the full CVE List in CVE JSON 5.0 format.)

How can I download the CVE List in CVE JSON 4.0 format during the transition period?

During the transition period, CVE Records may still be downloaded in CVE JSON 4.0 format on the CVEList GitHub Pilot website while the traditional CVE List download formats will continue to be available for download from https://www.cve.org/Downloads.

How can I download the CVE List in CVE JSON 5.0 format?

See Now Available — CVE List Downloads in CVE JSON 5.0 Format on the main CVE.ORG website.

During the transition period, will the CVE List in CVE JSON 5.0 format comprise the same vulnerabilities as the CVE List in CVE JSON 4.0 format?

Yes. During the transition period, as both formats are supported, the two lists will be kept in sync so users can view records in either format. Every CVE Record submitted in CVE JSON 4.0 format will be “upconverted” to CVE JSON 5.0 format and viewable in that format. Every CVE Record submitted in CVE JSON 5.0 format will be “down converted” to CVE JSON 4.0 format and viewable in that format.

How do I get started with the new RSUS service?

CVE Services functions are accessed through CVE Services clients that are developed by CNAs as part of their vulnerability management infrastructures or by adopting an already existing client that is known to operate with CVE Services. See Getting Started with CVE Services for additional information.

Do I have to develop my own CVE Services Client?

No. There are several RSUS clients that are available for adoption. Some of these are available to run through a web browser, while others can easily be integrated into an existing vulnerability management infrastructure. See Getting Started with CVE Services for additional information.

If a CNA wishes to develop its own CVE Services client, the API is publicly available here.

What is meant by CVE Services 2.1 “soft deploy”?

CVE Services 2.1 soft deploy references a deployment of CVE Services (completed at the end of October 2022) which offered the new RSUS interfaces for CNAs to submit/update CVE JSON 5.0 records. This deployment marked the beginning of the transition from CVE JSON 4.0 to CVE JSON 5.0 format. (See What is the transition period?)

The specific objectives of this soft deploy were two-fold:

  1. To allow CNAs to begin submitting/updating CVE JSON 5.0 records directly to the CVE List.
  2. To allow the CVE Community to identify CVE Services 2.1/CVE JSON 5.0 Soft Deploy - Prioritized Issues that must be addressed prior to making CVE Services the primary submission workflow for the CVE Program (i.e., post the transition period).

What is meant by CVE Services 2.1 “hard deploy”?

Where CVE Services 2.1 soft deploy focused heavily on CVE Record submission, i.e., introducing the RSUS/CVE JSON 5.0 submission capability, “hard deploy” will focus more on introducing capability for downstream users (i.e., the ability to view and bulk download the CVE List in CVE JSON 5.0 format).

Specifically, hard deploy:

  1. Addressed CVE Services 2.1 issues identified during the couple of months of RSUS execution.
  2. Deployed a CVE JSON 5.0 “bulk download” capability that allows downstream users to download the full CVE List in CVE JSON 5.0 format.

When did CVE Services 2.1 hard deploy occur?

The CVE Program achieved “hard deploy” of the CVE Services, CVE JSON 5.0, and the CVE JSON 5.0 Bulk Download capability on March 29, 2023. Learn more here.

What is the CVE Services “Test Environment” and how is it accessed?

A CVE Services test environment consisting of a CVE Services test instance and a CVE website test instance is available for partners to test the integration of CVE Services into their existing vulnerability management infrastructures. By using the test environment, which is completely separate from the official CVE Services, CNAs can assign test CVE IDs and publish and edit test CVE Records and view them on the test CVE website with no impact on their official CVE IDs or CVE Records. Partners wishing to develop their own CVE Services clients can also use the test environment to verify that their client is working properly. The test environment provides for unlimited self-training and process testing as organization’s prepare to adopt the new CVE Services and the CVE JSON 5.0 record format.

A separate set of “test” credentials is required for access. Learn how to acquire credentials here.