A Clarification on CVE Records with a DISPUTED Tag (2024)

Table of Contents
CVE Record Dispute Policy DISPUTED Tag Could Be Temporary or Indefinite FAQs

By Shannon Sabens, CVE Board member and Outreach and Communications Working Group (OCWG) Co-Chair

Several years ago, it was clear to the CVE Board that we would need a specific process for the inevitable disputes that may arise around vulnerability reporting. Potential scenarios may be obvious to many, but a basic example would be when a finder reports a potential vulnerability to a vendor/maintainer that agrees a bug exists but disagrees that it’s a potential security hole.

CVE Record Dispute Policy

By publishing the “CVE Record Dispute Policy” in 2022, the CVE Program has aimed to provide an easy pathway to affected parties for disputes resolution that moves up through a CVE Numbering Authority (CNA), Root, Top-Level Root (TL-Root), and Council of Roots (CoR) hierarchy. Note that a “Root” is an organization authorized within the CVE Program that is responsible, within a specific scope, for the recruitment, training, and governance of one or more CNAs. If you are picturing a hierarchy of CNAs that enable the program to scale, then you’ve got it. Roots help new CNAs onboard and support CNAs to follow the rules of the program. When needed, a dispute may be escalated to the CNA’s Root (and upward in the hierarchy, if needed) as detailed in the CVE Record Dispute Policy.

A flow chart of the CVE Record Dispute Policy process is below. A more complete description of the process is included in the policy document here.

A Clarification on CVE Records with a DISPUTED Tag (2)

DISPUTED Tag Could Be Temporary or Indefinite

It is not possible in all cases for the Root, TL-Root, or CoR to establish who may be correct in such disputes (though a decision by the CoR is final). In such cases, the Program may give the CVE Record a designation of “DISPUTED.”

A “DISPUTED” tag in a CVE Record could be for one (or more) of any number of reasons, for example, questions of accuracy, completeness, or whether the bug in question is, in fact, a security hole at all.

In these instances, it is the Board’s intent — per the CVE Record Dispute Policy — that the Program:

  • Will not make a determination as to which party in the dispute is correct.
  • Will allow the reader to be informed of a potential vulnerability by adding the DISPUTED tag to the CVE Record in question.
  • Will enable the reader (by allowing the record to remain published with the DISPUTED tag) to decide whether the disputed report represents a threat to their organization’s assets.

Recently, we have observed in public discourse some assumptions by the community that the DISPUTED tag is an interim state. However, in some cases, the DISPUTED tag may remain in place indefinitely.

The complete details of the CVE Program’s disputes policy can be found here.

Please comment here on the CVE Blog on Medium, use our CVE Blog website feedback form, or use the CVE Request Web forms and select “Other” from the dropdown menu, to provide feedback about this article.

A Clarification on CVE Records with a DISPUTED Tag (2024)

FAQs

A Clarification on CVE Records with a DISPUTED Tag? ›

A “DISPUTED” tag in a CVE Record could be for one (or more) of any number of reasons, for example, questions of accuracy, completeness, or whether the bug in question is, in fact, a security hole at all.

Read On
What does it mean when a CVE is disputed? ›

When one party disagrees with another party's assertion that a particular issue is a vulnerability, a CVE Record assigned to that issue may be designated with a “DISPUTED” tag. In these cases, the CVE Program is making no determination as to which party is correct.

Discover More Details
What are the three elements that make up a CVE record? ›

When the CVE® Program was first established in 1999, a CVE Record consisted of only three elements: the CVE-ID itself, a brief vulnerability description, and a reference URL directing to further relevant information.

Continue Reading
What is a CVE record? ›

CVE Records (also referred to by the community as "CVE Identifiers," "CVE IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cybersecurity vulnerabilities.

See Details
What does CVE mean? ›

Common Vulnerabilities and Exposures (CVE) is a publicly listed catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.

Find Out More
What are examples of CVE? ›

Below are some examples of CVEs:
  • CVE-2022-21948: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
  • CVE-2022-42291: NVIDIA GeForce Experience contains a vulnerability in the installer.
  • CVE-2023-22643: An Improper Neutralization of Special Elements used in an OS Command.
Feb 8, 2023

Tell Me More
Do hackers use CVE? ›

They scour the CVE's details to identify vulnerabilities that can be exploited in target systems, then develop or adapt exploit tools to take advantage of these weaknesses. Then they actively search for systems that have not yet applied patches or mitigations — making them easy targets for intrusion.

Show Me More
Who can report a CVE? ›

Vulnerabilities are identified by CVE Numbering Authorities (CNA), individuals, or organizations and reported to the CVE Program.

Explore More
What CVE score is critical? ›

What is the Common Vulnerability Scoring System (CVSS)
SeverityScore
Low0.1-3.9
Medium4.0-6.9
High7.0-8.9
Critical9.0-10.0
1 more row

Continue Reading
What does a CVE report contain? ›

A CVE entry describes a known vulnerability or exposure. Each CVE entry contains a standard identifier number with status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321"), a brief description and references related vulnerability reports and advisories. Each CVE ID is formatted as CVE-YYYY-NNNNN.

Show Me More

Who issues CVE? ›

CVE IDs are primarily assigned by MITRE, as well as by authorized organizations known as CVE Numbering Authorities (CNAs)—an international group of vendors and researchers from numerous countries.

Read The Full Story
Do all vulnerabilities have a CVE? ›

CVE stands for Common Vulnerabilities and Exposures. It is the database of publicly disclosed information on security issues. All organizations use CVEs to identify and track the number of vulnerabilities. However, not all the vulnerabilities discovered have a CVE number.

See Details
What is a CVE risk classification? ›

The CVE definition is twofold. It stands for Common Vulnerabilities and Exposures, a list of publicly disclosed risks and vulnerabilities in software and systems. But CVE can also be used to reference a vulnerability that has been documented and assigned a number within the CVE list.

Get More Info Here
Is CVE details reliable? ›

Many organizations, including cybersecurity vendors, rely on CVE data provided by NVD. As a government organization operated by the U.S. National Institute of Technology (NIST), NVD has been a trusted source of information, providing an invaluable public service since the early 2000's.

Continue Reading
What does this update has no published CVE entries mean? ›

So, all we can read into the statement about "no published CVE entries" is that the update does not relate to any of the catalogued CVE vulnerabilities, but might relate to some other security or privacy issue.

View More
Top Articles
What Is Private Equity? What Is A Private Equity Fund?
Private equity: dit is het en dit kun je ermee
Providence Health Plan Directory - Mark T Stephens, MD
Bayhealth Provider Portal
Hdhub4U 2023
Allied Universal hiring Operations Manager in Tallahassee, Florida, United States | LinkedIn
173 Assembly Technician Jobs in Salt Lake City, UT - Zippia
Jackson Hole Chamber of Commerce, Jackson, WY - Reviews, Ratings, Tips and Why You Should Go – Wanderlog
Mr World Premiere Baddies West
Sinclair Class Schedule
Latest Posts
Understanding Private Equity (PE)
Wikiwand - Private equity firm
Article information

Author: Tish Haag

Last Updated:

Views: 6434

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.