About the !CVE Program

The mission of the !CVE Program is to provide a common space for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues. In other words, these !vulnerabilities (read, not vulnerabilities) are security issues that would reduce the expected amount of work to be done by an attacker to successfully attack a target, but can also be fully fledged attacks on their own. We do believe !vulnerabilities should be identified, categorized and made known to the security community even when vendors refuse to acknowledge them or assign them a CVE.

According to MITRE's CNA rules, vendors:

[...] are left to their own discretion to determine whether something is a vulnerability.

This poses a clear conflict of interest, since the same vendor is the one deciding whether or not a CVE is assigned to their own product. As a result, this causes multiple security issues to not be assigned with a CVE even when MITRE agrees that one should be granted.

We see the !CVE Project as a great initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community.

Please read the FAQ section to better understand the scope of the project: How NotCVEs are Assigned, How NotCVEs Complement's CVE efforsts, What Qualifies as a NotCVE, What does Not Qualify as a NotCVE, Can a Vendor Request a NotCVE, etc.