mailing list archives
Re: CVE id assignment dates
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Mon, 23 Jan 2012 15:04:25 -0500 (EST)
This misconception is, unfortunately, all too common. I will look into
ways of changing it on the CVE web site.
The Assigned date, strictly defined, is the date on which the specific CVE
*number* was first created and "committed" to the CVE database. There is
no guaranteed relationship between the public disclosure date and the
When a CNA receives a pool of numbers, the Assigned date is when that pool
was created by MITRE. A CNA pool is just a list of CVE numbers that
aren't even associated with a specific vulnerability.
When MITRE reserves a CVE candidate for an independent, non-CNA party, the
"Assigned" date reflects the day that we reserved the candidate - which is
sometimes before the issue is published, and sometimes even before the
vendor is notified.
In other cases, MITRE independently assigns new CVEs for already-disclosed
vulnerabilities, and the Assigned date reflects when we created those
CVEs. In this case, the Assigned date can be AFTER the original
We do not publish any dates related to disclosure, patch, or vendor
notification; interested parties can consult other databases that
explicitly track this information, such as OSVDB.
On Mon, 23 Jan 2012, Solar Designer wrote:
It appears that many people are confused by and concerned about the
"Assigned" dates on CVE ids, not being aware that these dates often (or
even all the time?) merely reflect the assignment of a CVE id pool to a
CNA, normally before the actual vulnerabilities are discovered.
For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone
wrongly thought that this meant that kernel developers or whoever sat on
this bug for 1.5 months.
I think cve.mitre.org web pages need to provide an explanation right
next to these dates or not show the dates.