Skip to content

Latest commit

 

History

History
882 lines (585 loc) · 70.4 KB

automation-transition.md

File metadata and controls

882 lines (585 loc) · 70.4 KB
title layout
CVE Automation Transition Details
page


ATTENTION: This page has been moved to ARCHIVE STATUS. Please go to the CVE Services page on the CVE.ORG website for the most current information about CVE Services and CVE JSON 5.0.



Two major CVE Automation deployments have significantly enhanced the CVE Program’s ongoing transition towards a fully automated CVE ID assignment and CVE Record publishing/updating environment for the CVE Numbering Authority (CNA) community:

A Current Status dashboard, Transition Details Bulletins, and links to additional helpful resources are included below. Future transition schedule and bulletin updates will be posted below.

Current Status

The purpose of this dashboard section is to provide CNAs with the current status of the CVE Program’s transition to the new CVE Services and CVE JSON 5.0.

Last updated: 29 March 2023

Current Transition Phase

Status of Current Phase Activities

Timeframe for Next Phases

  • CVE JSON 4.0 Retirement: on or before 31 December 2023

Transition Details

Bulletin Number 15

Hard Deploy of CVE Services, CVE JSON 5.0, and Bulk Downloads in CVE JSON 5.0 Format Now in Effect — March 30, 2023


ATTENTION: Information and timeframes in this bulletin are out of date and no longer valid. Please go to the CVE Services page on the CVE.ORG website for the most current information.



As of March 29, 2023, the CVE Program achieved “hard deploy” of the CVE Services/CVE JSON 5.0/CVE JSON 5.0 Bulk Download automation upgrade.

Hard deploy means all issues with CVE Services “soft deploy” have been addressed, and the CVE JSON 5.0 Bulk Download capability is available for community use.

CVE Services/CVE JSON 5.0 Hard Deploy

Both CVE Services and CVE JSON 5.0 are in active use by the CVE Numbering Authority (CNA) community. Please see the “CVE Services” page on the CVE.ORG website for the most current information about CVE Services and CVE JSON 5.0.

Bulk Downloads in CVE JSON 5.0 Format Hard Deploy

CVE Records in CVE JSON 5.0 format are now available for bulk download by the community. “Bulk download” means all CVE Records and updates are included in a single download file.

CVE JSON 5.0 (view the schema) is the new official data format for CVE Records and download files. Download files based upon CVE JSON 4.0 will be deprecated on or before December 31, 2023 (see the “Legacy Downloads Available for Limited Time Only” section below).

These downloads enable development of custom applications for vulnerability management or analysis. To view individual CVE Records, please continue to use the CVE ID lookup search box at the top of all CVE.ORG web pages. It provides equally fresh data.

New Download Files Hosted on GitHub

The new download files are hosted in the cvelistV5 repository on GitHub.com. The repository includes release versions of all current CVE Records generated from the official CVE Services API. View the repository ReadMe for additional information and known issues.

Baseline releases are issued once per day at midnight and posted on the cvelistV5 repository Releases page in the following file name format: CVE Prefix-Year-Month-Day _ Greenwich Mean Time (GMT), (e.g., “CVE 2023-03-17_0000Z”). Hourly updates that include any additional CVE Records and/or other changes made since the baseline release are also provided on the Releases page using the same file name format, with time changes encoded at the end.

How to Access the New Download Files

All download files, including baseline and hourly releases, are available on GitHub, while a single download file of the most recent release is available from the CVE.ORG website.

On GitHub:

Experienced users of GitHub may use the traditional GitHub functions to maintain their own copy of the CVE List (e.g., “git clone” with periodic syncs).

In addition, users may download a zipped CVE List “baseline” that is updated at midnight (GMT) each day. A “modified” file is updated every hour that contains only the CVE Records that have been modified/added since the baseline.

Each baseline and hourly release includes three items:

  • ZIP file of all current CVE Records at midnight (e.g., “2023-03-28_all_CVEs_at_midnight.zip.zip”)
  • ZIP file of all CVE Records added or modified since midnight (e.g., “2023-03-28_delta_CVEs_at_2200Z.zip”)
  • Release Notes for the specific release that contains a text list of CVE Records that have been modified/added since midnight

NOTE: The most current release contains the most up-to-date CVE List content. Hourly updates contain only the most recent updates.

On CVE.ORG:

The most-current download file, which includes all CVE Records and updates, is always available from the Downloads page on the CVE.ORG website as a single ZIP file:

Legacy Downloads Available for Limited Time Only

Legacy format CVE List downloads (i.e., CSV, HTML, XML, and CVRF), which are derived from CVE JSON 4.0, will remain available for download on the CVE.ORG website for a limited time. They will be deprecated on or before December 31, 2023.

Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

Questions or Comments?

For assistance, please use the CVE Program Request forms and select “Other” from the dropdown menu.

Bulletin Number 14

CVE Services/CVE JSON 5.0 Hard Deploy Update — March 6, 2023


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



The CVE Program is rapidly approaching the “hard deploy” of the CVE Services/CVE JSON 5.0 automation upgrade.

The objective of hard deploy is to address issues that have been identified during the “soft deploy” period (which began in October 2022), and to make available a CVE JSON 5.0 Bulk Download capability (see the Transition FAQs for additional information).

Important milestones since our last bulletin:

  • The CVE JSON 5.0 Bulk Download function is currently undergoing testing and is almost complete. This function will make the full CVE List downloadable in CVE JSON 5.0 format. The deployment schedule for this capability will be announced at the upcoming CVE Global Summit – Spring 2023.

    IMPORTANT: A preview of the CVE JSON 5.0 Bulk Download Repository is available for review, but this is a PREVIEW ONLY and SHOULD NOT be considered the official CVE List. This new repository continues to undergo testing and has not been finalized. The official CVE List continues to be based on CVE JSON 4.0 and is found on the CVEList GitHub Pilot site and on the Downloads page on the CVE website.

  • The highest priority issue on the Soft Deploy – Prioritized Issues list was corrected. With this fix, when version ranges are used in a CVE JSON 5.0 record the record will now properly down-convert to a CVE JSON 4.0 record and be placed in the JSON 4.0 CVE List. Work continues on the remaining issues.

  • CVE Services 2.1.2 was deployed in mid-February. This incremental release fixed a number of issues that had been reported and introduced functions to support the “bulk download” capability. The release notes are available here.

  • A new “CVE Services” page was added to the cve.org website to be the main resource center for access to information about CVE Services/CVE JSON 5.0. The new page includes an overview with current version and status, information on how to obtain credentials for using the services, a workflow tutorial, demos of the clients used to interact with the services, and more. A “Reserve IDs & Publish Records (CNAs Only)” page to help direct CNAs to the new CVE Services page was also added.

Moving to Hard Deploy — Next Steps

Over the next several weeks we will be staging the required components to support hard deploy. This entails updating the CVE Services software, the cve.org website, and the Secretariat’s Content Management System (CPS), and finally, deploying the software for the bulk download capability. All of this work will be done without interruption of current services. This means you’ll continue to be able to reserve CVE IDs and submit/update CVE Records as you have in the past, as well as download records for viewing.

Upon completion of these updates and deployment, the Secretariat will send out a notification that the CVE Services/CVE JSON 5.0 hard deploy is complete. This notice will signify that this major milestone of the CVE Program automation update is complete and highlight the program’s next steps in automation upgrade.

Reminder about the CVE Global Summit – Spring 2023 on March 22 & 23

As a reminder, the CVE Global Summit – Spring 2023 is being held in-person for CNAs on March 22-23 at MITRE Corporation in McLean, Virginia, USA. There will also be a virtual component. Many of the topics mentioned above will be discussed in more detail at the summit.

Please refer to the meeting invite and follow-up messages you received for meeting details. We look forward to seeing everyone in person!


Questions about the information in this bulletin? Please use the CVE Request Web Forms and select “Other” from the dropdown.


Bulletin Number 13

Moving Forward on CVE Service/CVE JSON 5.0 Adoption — December 22, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



As the CVE Program continues to move through the soft deployment period for CVE Services/CVE JSON 5.0, we have continued to make upgrades to help you advance your adoption of both. As a reminder, soft deployment means CNAs are actively using the services and any issues found by the community are being prioritized and addressed by the CVE Automation Working Group (AWG) once reported. The hard deployment phase will begin once the soft deployment phase is completed.

The following improvements are now available for CNAs:

Enhanced test environment for incorporating CVE Services into your infrastructure and/or developing a CVE Services client now available

The test environment consists of the following:

CNAs can use the test environment to ensure that they have correctly integrated CVE Services into their established vulnerability management infrastructures. Specifically, the CVE Services test instance allows you to test your integration of the CVE ID Reservation (IDR) service and CVE Record Submission and Upload Service (RSUS), while the new CVE website test instance allows you to verify that test CVE Records will be published correctly in CVE JSON 5.0 format (simply use the CVE ID Lookup on the website test instance’s homepage to look up and view a test record). CVE Services test instance docs are available here.

A CNA developing its own CVE Services client can also use the test environment to test that its client is working properly, in the same manner.

By leveraging the test environment, CNAs can be confident that their incorporation of CVE Services into their infrastructure and processes, or development of their own CVE Services client, will work correctly once deployed in the CVE Services production environment.

Test Instance Credentials Required — If you are a CNA and wish to use the CVE Services test instance, you will need credentials that are separate from your production environment CVE Services credentials. Credentials are not required to view the CVE website test instance. Learn how to request test instance credentials here.

CVE Program Website and CVE Services upgraded to address Prioritized Issues

Two updates were released in December 2022, one for the CVE website and the other for CVE Services. One issue on the CVE Services - Prioritized Issue List was resolved, and we continue to work diligently on all the issue on the list. View the resolved issue here.

December 7 – A bug on the CVE website that incorrectly rendered the “affected version” recorded in CVE JSON 5.0 CVE Records was fixed. With this correction, you can now view CVE JSON 5.0 records on the new cve.org website with confidence that the correct affected version is being rendered.

December 19 – CVE Services version 2.1.1 was released to fix, among other issues, a bug that was identified by the CNA community where valid CVE Records submitted for publication were incorrectly being flagged with JSON schema validation errors. Thanks to those early adopters of CVE Services that continue to identify areas we need to address as we move CVE Services closer to our Hard Deploy milestone scheduled for Q1 calendar year 2023.

“Current Status” dashboard for CVE Services/CVE JSON 5.0 transition added to CVE Program Automation Transition Website

We realize that the CVE Services/CVE JSON 5.0 transition is a long and often complicated process and that there is a lot of information that must be conveyed, digested, and acted upon. To help CNAs stay aware of the most current information and transition status, a new “Current Status” dashboard has been added to the CVE Automation Transition Details page on the automation transition website to keep you up to date.

View the current status here.


Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown.


Bulletin Number 12

CVE Services Workshop Videos Now Available — November 15, 2022

CVE JSON 5.0, CVE Services Clients & More Videos from the “CVE Services Workshop” Now Available” — This announcement about the workshop videos for CNAs was sent to the CVE CNA Discussion email list on November 14, 2022 and posted on the main CVE website on November 15, 2022.

Introductions to CVE JSON 5.0, the CVE ID Reservation Service (IDR), the Record Submission and Upload (RSUS) Service, CVE Clients for interacting with the CVE Services, and information about how to obtain organizational and individual account credentials for the CVE Services, are all included in the videos.

For extended community awareness, the announcement was also posted on the main CVE website and on CVE social media.


Bulletin Number 11

Soft Deployment of Record Submission and Upload Service/CVE JSON 5.0 Complete: What’s Next for CVE Services/CVE JSON 5.0 Adoption — October 27, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



Phase 1 of the soft deployment of CVE Services 2.1/CVE JSON 5.0 to deprecate CVE Services ID Reservation (IDR) 1.1 and release CVE Services - IDR 2.1, was completed on October 6, 2022.

Phase 2, soft deployment of CVE Services 2.1 – Record Submission and Upload Service (RSUS), was completed on October 25, 2022.

See Bulletin #10 and Bulletin #9 for the schedule and complete descriptions of the soft deploy phases.

Overview

With the completion of CVE Services 2.1 Soft Deployment, we enter a “transition period” for CNAs to begin adopting the CVE JSON 5.0 format. During the transition period the CVE Program will support the current CVE Record Submission workflows (i.e., the CVEList GitHub Pilot in CVE JSON 4.0 format and the CVE Program Request web forms submission process) while introducing a new submission process using CVE JSON 5.0 (using CVE Services). CNAs should begin transitioning their CVE Record management infrastructure to use CVE JSON 5.0 format using CVE Services.

To begin the transition, CNAs should:

  1. Check out the CVE Services Prioritized Issues page. This page will highlight some important issues that we know about and are working to correct. 2. If you uncover what you might think be an important issue for us to address, you can post it on the CVE Services Slack Channel (which is monitored from 9:00 a.m. – 5:00 p.m. ET weekdays) or by contacting the CVE Automation Working Group (AWG) at [email protected].
  2. If you have not already done so, review your historical CVE Records that have been upconverted for you into CVE JSON 5.0 format here. (Note that this list is not the official CVE List but only a review list for you to consider as part of this transition period. The official CVE List will continue to be here and downloadable here in the traditional formats, based on CVE JSON 4.0 records).
  3. Make updates to your CVE Records using the new CVE Services if you find anomalies (see Getting Started with CVE Services).
  4. Begin planning your transition to the new CVE JSON 5.0 format and adoption of CVE Services.
  5. Attending the virtual CVE Services Workshop scheduled for November 2, 2022, from 10:00 a.m. – 2:00 p.m. EDT.
  6. Report issues to the CVE Services Slack channel (or the web form), which will be monitored from 9:00 a.m. to 5:00 p.m. EDT for technical support.
  7. Check out the new CVE Services Transition Frequently Asked Questions page. If you have a question that is not answered here, you can submit that question for inclusion using the CVE Program Request web forms (use the “other” form).

Look for announcements of the next important CVE Services milestone (i.e., CVE Services “hard deploy” targeted for early 2023 which will introduce a “bulk download” capability for CVE JSON 5.0 records that will upgrade our current CVE List Download Architecture. (Note: there will be no CVE JSON 5.0 Bulk Download capability until this deployment).

Reviewing What’s Available for ID Reservation, Record Submission, Record Viewing, and Downloads

The table below provides a review of the options available to CNAs for reserving CVE IDs and submitting, viewing, and downloading CVE Records, via CVE Services automation or alternate methods, now that soft deployment was completed at the end of October 2022. User Registry is how CNAs manage their own CVE Services users.

Post-October next steps, including advance notice for the eventual deprecation of the CVEList GitHub Pilot, will be announced in future bulletins.

CVE ID Reservation/CVE Record Uploading/User Registry Operations/Search-Viewing Records/CVE Downloads

Action Prior to October 6 Phase 1
Beginning October 6
Phase 2
Beginning October 25
Reserve CVE IDs IDR 1.1
CVE Request Web Form
IDR 1.1 - DEPRECATED
IDR 2.1 - AVAILABLE
CVE Request Web Form
IDR 2.1 - AVAILABLE
CVE Request Web Form
Submit CVE Records GitHub CVEList Pilot (JSON 4.0 only)
CVE Request Web Form (JSON 4.0 only)
GitHub CVEList Pilot (JSON 4.0 only)
CVE Request Web Form (JSON 4.0 only)
RSUS 2.1 with JSON 5.0 – AVAILABLE
GitHub CVEList Pilot (JSON 4.0 only)
CVE Request Web Form (JSON 4.0 only)
User Registry
(CNA manages its CVE Services users)
IDR 1.1 IDR 1.1 - DEPRECATED
IDR 2.1 - REQUIRED
IDR 2.1 – REQUIRED
Searching-Viewing CVE Records ID LOOK UP:
cve.org website (JSON 4.0)

ID & KEYWORD SEARCH:
cve.mitre.org legacy site (JSON 4.0)

ID RECORD SEARCH:
GitHub CVEList Pilot (JSON 4.0)
ID LOOK UP:
cve.org website (JSON 5.0)

ID & KEYWORD SEARCH:
cve.mitre.org legacy site (JSON 4.0)

ID RECORD SEARCH:
GitHub CVEList Pilot (JSON 4.0)
ID LOOK UP:
cve.org website (JSON 5.0)

ID & KEYWORD SEARCH:
cve.mitre.org legacy site (JSON 4.0)

ID RECORD SEARCH:
GitHub CVEList Pilot (JSON 4.0)
CVE Downloads
NOTE: cve.org links-out to the cve.mitre.org downloads
cve.org website (JSON 4.0)

cve.mitre.org legacy site (JSON 4.0)

GitHub CVEList Pilot (JSON 4.0)
cve.org website (JSON 4.0)

cve.mitre.org legacy site (JSON 4.0)

GitHub CVEList Pilot (JSON 4.0)
cve.org website (JSON 4.0)

cve.mitre.org legacy site (JSON 4.0)

GitHub CVEList Pilot (JSON 4.0)

Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown.

Bulletin Number 10

Schedule for October Deployment of CVE Services 2.1/CVE JSON 5.0 — October 3, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



CVE Services 2.1/CVE JSON 5.0 Soft Deploy will occur during the entire month of October with Phase 1 beginning on October 3 and Phase 2 occurring during the last week of October. See Bulletin #9 for a full description of all the Soft Deploy phases and how to prepare.

Overview

Phase 1 of soft deployment—to release CVE Services-IDR 2.1—began today on October 3, 2022, at 1:00 p.m. EDT. Entering Phase 1 will take approximately 48 hours, completing on October 5. During this time, the CVE Program will convert the current CVE JSON 4.0 repository to CVE JSON 5.0, upgrade the software, and perform validation.

During this 48-hour period, the system will be taken “offline” and CVE ID assignment and posting CVE Records to the CVE List will be suspended.


CVE Records submitted during this time will be “queued” and advanced to the CVE List when the system is brought back “online.”

We will make an announcement via this email list and on the CVE Services Slack Channel prior to taking the system down and again when we bring the system back up. Phase I marks the beginning of a significant transition for the CVE Program. You may see anomalies in processing data during the course of this transition. You can report anomalies/issues to CVE Services Slack Channel, which will be monitored from 9:00 a.m. to 5:00 p.m. EDT weekdays for technical support. In addition, you can report any anomalies using the CVE Program Web Forms (select "Other" from the dropdown menu) as well.

Phase 2 of soft deployment—to release CVE Services-RSUS 2.1—will take place during last week of October. An RSUS-specific deployment bulletin will be sent as we approach that date.

CVE Services 2.1 October Transition Description

The table below provides an overview for CNAs of what to expect in October. Post October “next steps” will be announced in future bulletins.

CVE ID Reservation/ CVE Record Uploading / User Registry Operations


Action Now Phase 1 Beginning October 5th Phase 2 Beginning Last Week of October
Reserve CVE IDs IDR 1.1
CVE Request Web Form
IDR 1.1 - DEPRECATED
IDR 2.1 - AVAILABLE

CVE Request Web Form
IDR 2.1 - AVAILABLE
CVE Request Web Form
Submit CVE Records GitHub CVEList Pilot
CVE Request Web Form
GitHub CVEList Pilot
CVE Request Web Form
RSUS 2.1 with JSON 5.0 – AVAILABLE
GitHub CVEList Pilot
CVE Request Web
User Registry
(CNA manages its CVE Services users)
IDR 1.1 IDR 1.1 - DEPRECATED
IDR 2.1 - REQUIRED
IDR 2.1 – REQUIRED

Save the date! — “CVE Services Workshop” Scheduled for November 2, 2022

CNAs should also make preparations to participate in the virtual “CVE Services Workshop” for CNAs to learn how to use CVE Services 2.1/CVE JSON 5.0 scheduled for November 2, 2022, from 10am to 2pm ET. We are considering holding a second live workshop for CNAs in Asia at a better time for them. If you are a CNA in Asia, please let us know if there is interest.

A registration link will be sent soon via the CNA Discussion List, so please watch for that email. There is no limit on the number of attendees that can participate from your organization.

Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown.

Bulletin Number 9

Deployment Update for CVE Services 2.1 - Record Submission and Upload Service (RSUS) and CVE JSON 5.0 — September 12, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



The CVE Program is in the final stages of planning its next steps in its automation update strategy. In Transition Bulletins #2 and #3 we laid out a broad transition strategy that would culminate in a new automated approach for CNAs to submit CVE Records.

Soft Deployment Schedule

“Soft Deployment” of CVE Services 2.1/CVE JSON 5.0 will begin the first week of October 2022, and will be implemented in two phases over the course of the month:

  • Phase I – This phase will begin the first week of October (10/3/22 – 10/9/22) with an update of the CVE Services 2.1 - CVE IDR Reservation (IDR) Service. At the completion of the Phase I on October 10, CNAs using CVE Services for CVE ID Reservation will be using CVE Services 2.1.

  • Phase II – The CVE IDR System update that was completed in Phase I will lay the groundwork for Phase II (i.e., the soft deployment of CVE Services 2.1 – Record Submission and Upload Service (RSUS), which will take place the last full week of October (10/24/22 – 10/28/22). At the completion of Phase II on October 31, CNAs will have the ability to submit CVE JSON 5.0 records using the new CVE Services 2.1 RSUS interfaces to the live CVE List.

How CNAs Should Prepare

Preparing for Phase I (Week 1 October)

Current users of the CVE Services 1.1.1 - IDR Service will need to migrate to a client that has been upgraded to be compatible with CVE Services 2.1 - IDR Service.
There are currently three clients that have been developed for community adoption that are expected to be ready for the first week of October that you can adopt:

Client Name Notes
Vulnogram
  • A client with a robust GUI
  • Can be installed locally or it can be used from the internet through a web browser
cveClient
  • A client with a simple GUI
  • Can be installed locally or run from the internet through a web browser
cvelib
  • A command line client
  • Can downloaded and incorporated into existing tooling structure

If your organization has created a unique automation framework that interfaces with CVE Services, contact your framework administrator to determine their plans for migrating to CVE Services 2.1

If there is concern that the client you are using will not be upgraded by October 3, following are some options that may work for you:

  • Prior to October 3, reserve a “block” of IDs to carry you through the month while your clients are upgraded.
  • Temporarily adopt one of the publicly available clients that are being actively supported by community members.

As we get closer to the deployment date for Phase I, we will send out reminders and note the specific days that CVE Records processing will be suspended while we update the software and the repositories.

Preparing for Phase II (Week 4 October)

Phase II deployment will be an update to make the CVE Services 2.1 - RSUS endpoints available to the CVE Services clients for use by the CNA community.

If you wish to take advantage of these new endpoints, the client that you use will need to be designed to specifically do that. You may adopt one of the recommended clients listed above (which will upgraded to take advantage of the new endpoints). If you are operating in a unique organizational CVE framework, contact your framework administrators to gain insight into their plans for adoption of CVE JSON 5.0 and CVE Services 2.1

Note that all of the old CVE Record submission processes (using CVE JSON 4.0) see Bulletin #6 will be maintained for a period of time after this deployment, so you need not adopt CVE JSON 5.0/CVE Services 2.1 immediately, however, you should begin thinking about how you are going to do that in the very near future.

CNAs should also make preparations to participate in the virtual “CVE Services Workshop” for CNAs to learn how to use CVE Services 2.1/CVE JSON 5.0 scheduled for November 2, 2022, from 11:00 a.m. – 5:00 p.m. ET. Learn more here.

Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown.

Bulletin Number 8

SAVE THE DATE -“CVE Services Workshop” for CNAs to be held on November 2, 2022 — August 25, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



CVE Services Workshop for CNAs to Be Held on November 2, 2022 — This announcement for CNAs about the upcoming CVE Services Workshop was sent to the CVE CNA Discussion email list on August 25, 2022 and posted on the main CVE website on August 30, 2022.

Details about the CVE Services 2.1/CVE JSON 5.0 deployment plan and schedule will be announced very soon, so please keep an eye out.

Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown.

Bulletin Number 7

Call for Community Penetration Testing Volunteers to Test CVE Services 2.1 — June 23, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



The CVE Program is preparing for the deployment of the CVE Record Submission and Upload Service (RSUS), and an updated data format (i.e., CVE JSON 5.0).

The program thanks those of you who participated in previous milestones (e.g., early adoption of the CVE ID Reservation, CVE Services Requirements collection, CVE Services code development and review, Penetration Testing and Security analysis) as we move forward with development, testing, and deployment.

A request for continued support: CVE Services 2.1 Penetration Testing II, July 18-July 29

We performed Penetration Testing on CVE Services 2.1 in March 2022, during which we identified issues that must be addressed prior to RSUS and JSON 5.0 deployment.

Beginning July 18 (and running through July 29) we will be engaging in another round of community penetration testing to achieve a level of assurance necessary to deploy. The program needs your help! The community is an integral part of building assurance and previously made substantial contributions from a testing perspective. If you have interest, contact the AWG Chair Kris Britton and he will get you the information you need to get started.

If you cannot participate in the Penetration Testing II event, you can still get familiar with CVE Services 2.1

CVE Services 2.1 will be a major upgrade to CVE Services 1.1.1 as it will provide the API for “client applications” to not only reserve CVE IDs in “near real time” and manage your own “user base” but it will also support the automated submission and update of CVE Records. When it is deployed, CNAs will be able “Post” records immediately to the CVE List with the records being available to the public in near real-time.

Contact the AWG Chair if you have interest in either of the following:

  • Using the “CVE Services Testing Instance” to test your client for CVE Services 2.1
  • Joining the CVE Automation Working Group (AWG) which meets every Tuesday to discuss requirements, status, and all things related to CVE Services

Please check this page regularly for updates. You may also contact us with any comments or concerns.

Bulletin Number 6

Submitting CVE Records after CVE Service 2.x/JSON 5.0 Roll-out — May 20, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



As we prepare for CVE Services 2.x/JSON 5.0 roll-out in the coming weeks, there have been a number of questions about the various methods CNAs currently use to make CVE ID reservations and publish CVE Records and which methods will continue to be supported post deployment.

This bulletin clarifies the CVE Program specific methods that will be available to CNAs for reserving CVE IDs and submitting CVE Records after CVE Services/JSON 5.0 deployment. For non-CNAs, the existing method for requesting CVE IDs will not be affected.

Non-CNA Submission Methods

Non-CNAs will continue to contact the appropriate CNA to request CVE IDs, as described on the [Report/Request](https://www.cve.org/ResourcesSupport/ReportRequest) page on the CVE Program website. The CNA that assigns the ID will publish the CVE Record.

In addition, the CVE Program Secretariat will continue to maintain the CVE Program Request web form for non-CNAs to submit vulnerability reports.

CNA Submission Methods

For CNAs, there will be five methods to reserve CVE IDs and submit CVE Records. Some methods will be retired over time while others will have constraints, but all five methods described below will be available for use immediately after CVE Services 2.x/JSON 5.0 is deployed.

CNAs that don’t yet have a CVE Services account may contact their Root to receive account credentials ahead of deployment.


Method 1: The current CVE Program Secretariat Web Forms

This method allows CNAs to submit CVE Records in multiple formats: JSON 4.0, CSV, and flat file. For a limited time, CNAs will continue to be able to request CVE ID Reservations and publish CVE Records as they do today using the CVE Program Secretariat CVE Program Request web forms. All currently supported input formats will continue to be supported, but this method will not process JSON 5.0 formatted input.


This submission method will be retired 90 days after CVE Services/JSON 5.0 is deployed.



Method 2: CVE List GitHub Submission Pilot

This method allows CNAs to submit CVE Records in JSON 4.0 using GitHub pull requests. For a limited time, CNAs will continue to be able to use the CVE List GitHub Submission Pilot to submit CVE Records in JSON 4.0, which will then be upconverted to JSON 5.0 records.


This submission method will be retired 90 days after CVE Services/JSON 5.0 is deployed.



Method 3: Vulnogram

This method is an existing web-based tool for reserving CVE IDs and creating and submitting CVE Records that is currently in use by CNAs. JSON 4.0 will continue to be supported in this method for 90 days post deployment.

After CVE Services/JSON 5.0 is deployed, this method will only accept direct user input (i.e., no attached files) and will submit JSON 5.0 CVE Records directly to CVE Services on the CNA’s behalf for publication on the CVE List.

To use this method, CNAs will need to present their CVE Services User ID and authentication token through Vulnogram to identify/authenticate to CVE Services. New users, please request CVE Services credentials from your Root.


Active submission method.



Method 4: Adopt an available CVE Services Client

CVE Services is implemented as a Client/Server architecture. This method enables CNAs to adopt an already existing client and install and execute it in their own environment to assign CVE IDs and create and submit CVE Records.

Three clients are currently available for use as part of CVE Services/JSON 5.0 deployment:


Active submission method.



Method 5: CNAs can develop their own clients

CNAs may develop their own CVE Services clients. The CVE Program is currently preparing documentation to support that development, which will be announced in a future bulletin.


Active submission method.



Please check this page regularly for updates. You may also contact us with any comments or concerns.


Bulletin Number 5

JSON 5.0 Format Record Review — March 23, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



The CVE Program transition to CVE JSON 5.0 continues with the community review of historical JSON 4.0 records that have been converted to JSON 5.0 format.

The message below, sent to CNAs by the Quality Working Group (QWG) on March 21, 2022, announces that review:

CNAs,

The GitHub submission pilot has been using an experimental JSON format (version 4.0) for publishing CVE Records. The CVE Quality Working Group has been working to improve this format for use with the upcoming CVE Services API, with a better-specified schema while fulfilling new requirements from the CVE Program (version 5.0.

As part of this process, all existing CVE Records (about 181 thousand) are being programmatically upconverted and are available at https://github.com/CVEProject/cvelistV5/tree/master/review_set (last updated March 15th).

An index of these records by the CNAs is available here https://cveproject.github.io/quality-workgroup/reports/. You can also compare the records and their display previews for any converted CVE ID using the tool https://vulnogram.github.io/seaview/.

During this process, 314 records had issues with the data and are autocorrected to ensure we have valid content in the CVE Records. Such corrections include trimming excessively long fields and dropping invalid dates and data. Such records are reported here: https://cveproject.github.io/quality-workgroup/reports/warnings.

  1. Please review your CVE Records to ensure the upconversion script did not alter the meaning of the CVE Records.

    If you believe the upconversion script has a bug, please raise an issue at https://github.com/CVEProject/cve-schema/issues or suggest changes to the upconverter script using a pull request. The upconverter will be used to continually transform any JSON 4.0 submissions to JSON 5.0 format for use in the CVE Services API during the transition phase while CNAs migrate to CVE JSON 5.0.

  2. Please review this warnings report to check if you have any CVE Records that triggered warnings or errors.

    If you have a CVE Record that needs to be fixed, you have a few options:

    • (Preferred) wait for the record submission feature in the CVE Services to be available (TBA)
    • Submit corrections to the records via the Git pilot submission process
    • No action is needed if the autocorrects make sense to you

  3. The display/layout of the CVE Record information as shown on vulnogram.github.io/seaview would be similar to how these records may be rendered on the new cve.org website. Feedback on this new CVE Record display or layout is most welcome.

If you have any further questions, please feel free to raise them with the CVE Quality Working Group ([email protected] or as issues at https://github.com/CVEProject/cve-schema/issues.

Bulletin Number 4

CVE Services Transition — March 21, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



This message is to inform you about a revision to the CVE Services deployment schedule that will affect when CVE Services 2.1 is available for use by CNAs.

CVE Services 2.1 consists of the Record Submission and Upload Service (RSUS) and the new CVE JSON 5.0 data format. The CVE Program is in the middle of testing CVE Services 2.1. The program thanks the CVE community for participating in the functional and penetration testing during the test period that began on February 25, 2022.

As a result of the ongoing testing, multiple issues have been identified. The CVE Automation Working Group (AWG) is currently developing the sprint plans and deployment schedule to remediate the identified issues as quickly as possible. Once developed, the AWG will manage the sprints to fix the identified issues. Then, a second period of testing will be opened to the community. The second testing period is the best way to ensure that the services are effective and secure.

Once these sprints and schedule are better defined, they will be published to enhance community understanding of the issues and foster voluntary participation in the CVE Program (e.g., the AWG). Information related to the sprints and deployment plan will be announced on the CVE CNA Slack channel, CVE CNA Discussion email list, this CVE Program Automation Website, and on CVE social media.

To ensure the CVE Program delivers effective, automated, and secure CVE 2.1 services that reduce the transaction costs of program participation, the “CVE Global Summit” is being shifted to a later date so that program participants can get an interactive, “hands on” description of the services to make the transition to the services easier. A new summit date will be announced in the near future.

Please check this page regularly for updates. You may also contact us with any comments or concerns.

Bulletin Number 3

CVE Services Transition — March 16, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



The activities and schedule for the transition to CVE Services 2.1 and CVE JSON 5.0, as provided last month in Transition Bulletin #2, are now underway. This bulletin adds two new activities and schedule updates. Most importantly, it adds an important new notification to CNAs that the CVE List GitHub Submission Pilot will be retired as part of the transition (see below for details).

Transition Schedule and Activity Updates

Detailed descriptions for activities 1-6 below are provided in Transition Bulletin #2. This new bulletin, Transition Bulletin #3, includes the addition of two new activities and updates to the transition schedule, to ensure CNAs have advance notice of all upcoming transition activities and actions needed by CNAs.

Detailed descriptions of the two newly added activities for Bulletin #3 are included below. They have also been added as items 7 and 8 in the transition schedule that follows.

  • CVE List GitHub Submission Pilot Retirement — The CVE List GitHub Submission Pilot is JSON 4.0-based and will not be upgraded to JSON 5.0. As a JSON 4.0 based effort, it will not continue to operate after JSON 4.0 Retirement. It will continue to operate for 3 months after CVE Services 2.1/JSON 5.0 Hard Deployment. After JSON 4.0 Retirement, JSON 5.0 format will be the only format that is available for download (other downloadable formats will be retired), and CNAs will be expected to submit CVE Records in JSON 5.0 format through either CVE Services web application API, or a program designated web interface.

  • CVE List Download Format Changes — After JSON 4.0 Retirement, JSON 5.0 format will be the only format available for CVE List downloads. All other download formats will be retired at the same time JSON 4.0 is retired (read announcement).


Updated Transition Schedule

IMPORTANT: The timeframes in this bulletin have changed. Please see the newest bulletins above for the most current information.

See Transition Bulletin #2 for descriptions of activities 1-6; descriptions for activities 7 and 8 are above.

Item Activity Schedule
1 CVE Services 2.1 Community Testing in the Testing Instance Late February/early March 2022
2 CVE Services 2.1 Community Penetration Testing Mid-to-late March 2022 (will run for approximately 3 weeks)
3 CNA Community Review of Historical JSON 5.0 Records January through April 2022
4 CVE Services 2.1/JSON 5.0 Soft Deployment Mid-to-late April 2022 (will span approximately 3 weeks)
5 CVE Services 2.1/JSON 5.0 Hard Deployment Late April 2022
6 JSON 4.0 Retirement July 2022 (3 months after JSON 5.0 is made available to CVE downstream users)
7 CVE List GitHub Submission Pilot Retirement July 2022 (3 months after JSON 5.0 is made available to CVE downstream users)
8 CVE List Download Format Changes July 2022 (3 months after JSON 5.0 is made available to CVE downstream users)

If you have any further questions, please feel free to raise them with the CVE Quality Working Group or as issues at https://github.com/CVEProject/cve-schema/issues.

Bulletin Number 2

CVE Services Transition — February 11, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



IMPORTANT: The timeframes in this bulletin have changed. Please see the newest bulletins above for the most current information.

For CVE CNAs, the transition to CVE Services and JSON 5.0 began in December 2019 with the deployment of CVE Services 1.0 (the CVE ID Reservation (IDR) system) and the continued review and evolution the new CVE Record format (i.e., JSON 5.0). In June 2020 CVE Services 1.1 was deployed and in September 2021 CVE Services 2.0 was deployed into the new CVE Testing Instance. In November 2021, the community finalized the new JSON 5.0 format with the release of JSON 5.0 Release Candidate 5. Additional transition activities will take place in the spring of 2022 that will culminate in a major step forward for the automation effort for the program and the adoption of a richer, more robust CVE Record format (i.e., CVE JSON 5.0).

Spring 2022 CVE Services/JSON 5.0 Transition Activity Overview:

  1. CVE Services 2.1 Community Testing in the Testing Instance — In late February/early March 2022, the CVE Automation Working Group (AWG) is planning on releasing CVE Services 2.1 into the CVE Services Testing Instance. As with CVE Service 2.0 testing, CNAs will be able to continue to test their clients against this instance. CVE Services 2.1 is the target version of CVE Services that will be deployed into production that will be supporting JSON 5.0 for the community.
  2. CVE Services 2.1 Community Penetration Testing — Upon the release of CVE Service 2.1 into the Testing Instance, the CVE Services 2.1 Community Penetration Testing effort will commence and will run for approximately 3 weeks into mid/late March 2022. The AWG will be coordinating this community penetration testing effort so that interested members of the community may perform penetration testing on CVE Services 2.1. (This topic was discussed in the two “CVE Services 2.x Workshops” held September and October 2021). After the completion of the penetration testing effort, there will be a period of time for the development team to respond to issues identified in during the testing.
  3. CNA Community Review of Historical JSON 5.0 Records — From January through April 2022, the CVE Quality Working Group (QWG) will be coordinating two community reviews of historical CVE Records that have been converted to JSON 5.0. During the first review CNAs have an opportunity to review records that they “own” in the new format and offer early feedback on the Secretariat’s upconvert process. During the second review, CNAs will have an opportunity to update the CVE Records they own using the CVE Services Record Submission and Upload Subsystem (RSUS) interface. (This may be preferable for large CNAs who might be interested in upconverting their own records instead of relying on the Secretariat upconvert.) If you or your organization are interested in getting more engaged in the planning of these reviews, please send email to the QWG Co-Chairs.
  4. CVE Services 2.1/JSON 5.0 Soft Deployment — Once the above activities are completed, there will be a soft deployment of CVE Services 2.1/JSON 5.0 that will span approximately 3 weeks into mid/late April 2022. During this timeframe CVE Services 2.1 will be deployed into the production environment and CNAs will have the full feature set of CVE Services to submit and update JSON 5.0 records. Also, during this time, the QWG will administer the second phase of the CNA Community Review of JSON 5.0 Historical Records (see above), in which CNAs will be encouraged to review the CVE Records they own and make appropriate updates using CVE Services. It is important to note that during the soft deployment phase, only members of the CVE CNA community will have access to the JSON 5.0 CVE List. The general “downstream” user population of the CVE List will continue to observe and download JSON 4.0 Records from the main CVE website.
  5. CVE Services 2.1/JSON 5.0 Hard Deployment — After the soft deployment phase toward the end of April 2022, the AWG will move into a hard deployment phase that will include deployments to make JSON 5.0-format CVE Records easily accessible to the global community through the deployment of the JSON 5.0 GitHub download capability and the JSON website display and download capability on the main CVE website.
  6. JSON 4.0 Retirement — Six months after JSON 5.0 is made available to CVE downstream users, JSON 4.0 will be retired. After JSON 4.0 retirement, historical JSON 4.0 records will continue to be available in an archived state. CNAs will be expected to submit CVE Records in JSON 5.0 format through either CVE Services web application API or a program designated web interface. At this time, JSON 5.0 format will be the only format that is available for download (other downloadable formats will be retired).

Please check this page regularly for updates. In addition, there will be follow-on communications to CNAs on CVE CNA Discussion email list, on CVE CNA Slack channel, and on CVE social media. You may also contact us with any comments or concerns.

Bulletin Number 1

CVE Services Transition — January 6, 2022


ATTENTION: The information and timeframes in this bulletin are now out of date. Please go to the CVE Services page on the CVE.ORG website for the most current information.



Changes Coming to CVE Record Format JSON and CVE List Content Downloads” — This initial announcement to CNAs about major changes coming to CVE JSON and Downloads in 2022 was sent to the CVE CNA Discussion email list on January 6, 2022.

For extended community awareness, the announcement was also posted on the main CVE website, on CVE social media, and included in the CVE Newsletter.

Additional Resources

CVE Services Clients are hosted on GitHub:

CVE Services resources are hosted on GitHub:

CVE JSON resources are hosted on GitHub:

CVE Services/CVE JSON 5.0 Guidance Videos & Slides:

Other helpful resources are hosted on the main CVE website: