About the NotCVE Program

The mission of the NotCVE Program is to provide a common space for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues. In other words, these !vulnerabilities (read, not vulnerabilities) are security issues that would reduce the expected amount of work to be done by an attacker to successfully attack a target, but can also be fully fledged attacks on their own. We do believe !vulnerabilities should be identified, categorized and made known to the security community even when vendors refuse to acknowledge them or assign them a CVE.

According to MITRE's CNA rules, vendors:

[...] are left to their own discretion to determine whether something is a vulnerability.

This poses a clear conflict of interest, since the same vendor is the one deciding whether or not a CVE is assigned to their own product. As a result, this causes multiple security issues to not be assigned with a CVE even when MITRE agrees that one should be granted.

We see the NotCVE Project as a great initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community.

Please read the FAQ section to better understand the scope of the project: How NotCVEs are Assigned, How NotCVEs Complement's CVE efforsts, What Qualifies as a NotCVE, What does Not Qualify as a NotCVE, Can a Vendor Request a NotCVE, etc.

Powerful Vulnerability Searcher

NotCVE is now a powerful search engine for both CVEs and NotCVEs. You can use advanced search queries to find relevant vulnerabilitites affecting your products. Each vulnerability entry contains detailed information compiled from multiple sources, including CPE, CVSS, SSVC, KEV, EPSS, patches, exploits, Linux commits, and more.

For example, to easily search for Remote Code Execution vulnerabilities affecting Microsoft, and filter them by a CVSS score higher than 8, as well as by results containing the word 'Outlook' in any field (description, title, references, etc.), you just need to type in the search engine: vendor:"Microsoft" cvss:>8 RCE Outlook. More examples here.

Professional API

In response to high demand from business sector, we have also developed a Professional API, tailored to provide a comprehensive data access and real-time alerts, ensuring enhanced operational efficiency and strategic security planning.

Last updated: 19 July 2024
© Copyright NotCVE. All Rights Reserved