MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information security vulnerabilities. CVE identifiers have a status of either "entry" or "candidate". Entry status indicates acceptance of a CVE Identifier into the CVE List, while a status of "candidate" (for "candidates," "candidate numbers," or "CANs") indicates an identifier under review for inclusion in the list.
The same source describes the process of creating a CVE Identifier which:
- begins with the discovery of a potential security vulnerability or exposure
- adds to this information a (unique) CVE candidate number assigned by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and proposed to the Board by the CVE Editor
The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.
Read more about this topic: Common Vulnerabilities And Exposures