During the late 1990s, security professionals were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from the systems for which they are responsible.

There’s just one problem – each security vendor has its own database with little to no crossover. Each vendor’s tool generates its own alert for detected vulnerabilities, and these alerts must be manually cross-referenced between the tools to determine if they are separate issues or multiple alerts for the same issue.

This is the scenario which spawned the Common Vulnerability and Exposures, or CVE, List. In January 1999, David E. Mann and Steven M. Christey of The MITRE Corporation published “Towards a Common Enumeration of Vulnerabilities” at a workshop at Purdue University.

In addition to wanting to know if multiple tools had identified the same vulnerability or not, Mann and Christey had a desire to compare the breadth and depth of coverage provided by each tool. To facilitate these needs, their whitepaper proposed creating a unified vulnerability and exposure reference list that could be used across participating assessment/IDS tools: the CVE List.

Towards a Common Enumeration of Vulnerabilities

According to the whitepaper, the original plan for the CVE List was for each vulnerability to be uniquely identifiable with no need for manual cross-referencing. The CVE List was also intended to be a complete list of known vulnerabilities and to be publicly accessible without worrying about distribution restrictions.

With the CVE List as a vendor-independent resource, it would enable those vendors to make the decisions about how much of an impact the vulnerability would have on their products or systems. The List itself would not provide impact scoring. In the CVE List, vulnerabilities would be limited to showing their standardized ID number, a status indicator (candidate vs accepted/rejected), a brief (Read more...)