CVE Services is the CVE Program’s automation infrastructure that allows CVE Number Authorities (CNAs) to submit and manage the CVE Records that they produce. The CVE Services API allows authenticated CNA personnel to reserve, submit, and update CVE Records. CVE Records submitted through CVE Services are published in the CVE List on our hourly basis.

To use CVE Services, a user MUST:

  • Be an authorized member of an active organization in the CVE Program
  • Have an active CVE Services User Account (with valid credentials)
  • Access CVE Services via the API (with one of the available Clients, a command line, or custom code)

CNA Management of CVE Services Accounts

Each CNA has one or more Organizational Administrators (OA) that will be responsible for:

  • Managing CVE Services Accounts for the CNA (i.e., creating/deactivating CVE Services Account, resetting user credentials)
  • Affirming that each user to whom they grant an account is authorized to manage CVE Records
  • Ensuring that there is individual accountability for actions taken by CVE Services users from that CNA:
    • CVE Services require individuals to authenticate for each transaction and performs individual user logging
    • However, if it is the case that a CNA is using a common account (which is highly discouraged) from which to publish/manage CVE Records, it is the responsibility of that CNA’s OA to maintain individual accountability of who has performed CVE Services transactions on behalf of that CNA

To obtain CVE Services Organizational Administrator (OA) credentials, CNAs should contact their Root (Google, INCIBE, JPCERT/CC or Red Hat) or their Top-Level Root (CISA ICS or MITRE).

Obtaining CVE Services Account Credentials

CNA users obtain accounts through an account request to their CNA’s CVE Services OA. Once granted, the user will receive three pieces of information that will be used to authenticate each CVE Services request:

  1. User ID: Often this is the person’s email address.
  2. CNA Short name: An alphanumeric string that is used to reference the CNA that the user is representing. This name must match the “short name” in the CVE Services database.
  3. API Secret: A randomly generated alphanumeric string that will be used to authenticate the user. Each account (i.e., user) has a unique API Secret. These API keys are often used in scripts and custom code and the keys should be adequately secured.

Obtaining Credentials for the CVE Services Test Instance

Separate credentials are required for the CVE Services Test Instance. Please use the same process provided in Obtaining CVE Services Account Credentials but specify that you are requesting credentials for the test instance.

Using a CVE Services Client to Interact with the CVE Services API

CVE Services is built as a client/server architecture with the CVE Services Server offering a stateless, RESTful Application Programming Interface (API) that is utilized by its CVE Services Clients. CVE Record Functions (i.e., Reserve a CVE ID, Submit/Update CVE Records) are completed by submitting CVE Services requests through a CVE Service Client to the CVE Services Server. Every CVE Record Submission/Update is authenticated before the requested is carried out.

CVE Services API:

CVE Services Clients

Users select their “Client” of choice to submit their requests to CVE Services. Often, CNAs will build their own clients that will integrate into that CNA’s vulnerability management infrastructure, but this is not required.

If a CNA or individual is interested in fielding its own CVE Services client, the CVE Services Server API documentation will provide the interface specification to allow you to develop your own client. The CVE Services API production url is here.

For those that do not want to develop their own client, there are three known clients that have been demonstrated to work with CVE Services. Each is available as an open-source project and can be incorporated into existing vulnerability management infrastructures. Two of the clients are currently instantiated online and can be used through a standard browser.

Currently available CVE Services clients:

  • Vulnogram is a robust CVE Record editor/submission client that has been around since 2017 and has been updated to process the new CVE JSON 5.0 format and interact with CVE Services. It can be downloaded installed as a server or it can be accessed via a website
  • cveClient is a rudimentary CVE Record editor/submission that has recently been developed to simplify the creation and submission of CVE Records. It can be downloaded and installed as a server, or it can be accessed via a website
  • cvelib is a simple library and command line interface (CLI) for the CVE Services API. It can be integrated into an existing vulnerability management infrastructure or be used as a stand-alone CLI

All three clients also support user account management.

Getting Support

Questions about the CVE Services API can be posted to the CVE Program #cve-services SLACK channel (request an invite through the CVE Program Request web forms and use the “Other” form). This channel is monitored 9:00 a.m. – 5:00 p.m. ET by CVE Services developers who can answer some of your technical questions about the interface.

You may also send your question to the CVE Program Secretariat through the CVE Program Request web forms (use the “Other” form). Questions about your chosen client should be directed to the client developers.