Information Technology Laboratory
National Vulnerability Database
National Vulnerability Database
NVD
The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. A unique identifier known as the CVE ID allows stakeholders a common means of discussing and researching a specific, unique exploit. The Common Platform Enumeration (CPE) program fufills a function similar to the CVE program for IT products and platforms. The Security Content Automation Protocol (SCAP) program combines CVE and CPE in a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements.
The NVD maintains the authoritative CPE dictionary, while the CVE program is maintained by the MITRE corporation. Both programs are sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published to the CVE List. NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v2.0, CVSS v3.1, CWE, and CPE Applicability statements.
CVEs are typically available in the NVD within an hour of their publishing. Once a CVE is in the NVD, analysts can begin the analysis process. The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given timeframe. After analysis is provided, CVEs may be updated (modified). If modifications are available, the NVD publishes these updates once every two hours. The CPE Dictionary is updated nightly when modifications or new names are added.
Each API Key is associated with a single email address. If an email address is used to request an additional API key, clicking the single-use hyperlink will invalidate the key previously associated with that email address. The key will not be invalidated if the email is used to request another key, but the link is not opened. There is no process for retrieving a forgotten key.
Requesting an API key allows for users to make a greater number of requests in a given time than they could otherwise. The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window.
The best practice for making requests within the rate limit is to use the modified date parameters. No more than once every two hours, automated requests
should include a range where modStartDate equals the time of the last CVE or CPE received and modEndDate equals the current time.
Enterprise scale development should enforce this approach through a single requestor to ensure all users are in sync and have the latest CVE and CPE
information. It is also recommended that users "sleep" their scripts for six seconds between requests.
The process of requesting an API key requires users to provide a valid email address. About twice a year, the NVD may send a user experience survey to any email addresses that have requested an API key. The NVD does not automatically enroll these addresses in any discussion group or mailing list. It is recommended that developers using the NVD API opt into the NVD News Google Group . This group can be a valuable resource for enterprise application developers and novice researchers alike.
Questions, comments, or concerns may be shared with the NVD by emailing [email protected]