NIST Draft NISTIR 8246 – National Vulnerability Database (NVD) Metadata Submission Guidelines for Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) and Authorized Data Publishers
The number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created year over year has rapidly increased, and this trend is expected to continue indefinitely. Currently, a National Vulnerability Database (NVD) analyst manually reviews each CVE and attaches multiple forms of CVE metadata used by downstream consumers to prioritize and assist automated vulnerability scanning tools. This is a manually intensive process, and in many cases, this metadata is provided by the source, or CNA (CVE Numbering Authority), of the CVE with no policies or procedures in place to validate and accept the information.
This draft NISTIR seeks to leverage the strength of technical knowledge provided by the CNAs and the application of consistent and unbiased CVE metadata provided by NVD analysts through the formalization of a CVE entry metadata submission process.