Mission and Overview
NVD is the U.S. government repository of standards based
vulnerability management data. This data enables automation of vulnerability management,
security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:
53868 | CVE Vulnerabilities |
202 | Checklists |
222 |
US-CERT Alerts |
2661 |
US-CERT Vuln Notes |
8140 | OVAL Queries |
Last updated: 11/15/12
CVE Publication rate:
11
vulnerabilities / day
Email List
NVD provides five mailing lists to the public. For information and subscription instructions please visit
NVD Mailing Lists
Workload Index
Vulnerability Workload Index:
5.17
About Us
NVD is a product of the NIST Computer Security Division
and is sponsored by the Department of Homeland Security’s
National Cyber Security Division. It supports the U.S. government
multi-agency (OSD, DHS,
NSA, DISA,
and NIST) Information Security Automation Program. It is the U.S. government content
repository for the Security Content Automation Protocol (SCAP).
National Vulnerability Database Version 2.2
NVD is the U.S. government repository of standards based vulnerability management data represented using the
Security Content Automation Protocol (SCAP).
This data enables automation of vulnerability management, security measurement, and compliance.
NVD includes databases of security checklists, security related software flaws, misconfigurations, product names,
and impact metrics.
Federal Desktop Core Configuration settings (FDCC)
NVD contains content (and pointers to tools) for performing configuration checking of systems
implementing the FDCC using the
Security Content Automation Protocol (SCAP).
FDCC Checklists are available here (to be used with SCAP FDCC capable tools).
SCAP FDCC Capable Tools are available here.
NVD Primary Resources
- Vulnerability Search Engine (CVE software flaws and CCE misconfigurations)
- National Checklist Program (automatable security configuration guidance in XCCDF and OVAL)
- SCAP (program and protocol that NVD supports)
- SCAP Compatible Tools
- SCAP Data Feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL)
- Product Dictionary (CPE)
- Impact Metrics (CVSS)
- Common Weakness Enumeration (CWE)
NVD/SCAP Recent Activity:
- October 3rd - 5th, 2012: 8th Annual IT Security Automation Conference
- October 31st - November 2nd, 2011: 7th Annual IT Security Automation Conference
- August 29th - 30th, 2011: EMAP Developer Workshop
- September 27th - 29th, 2010: 6th Annual IT Security Automation Conference
- May 11, 2010: 2010 NASA / Army Systems and Software Engineering Forum
- April 13, 2010: Security Solutions 2010
- March 16, 2010: IT Security Entrepreneurs' Forum
- February 22, 2010: Security Automation Developer Days Winter 2010
- October 26, 2009: 5th Annual IT Security Automation Conference
- September 05, 2008: NVD updated to version 2.2
- August 18, 2008: OMB has release a new memo relating to FDCC and the SCAP validation program. The memo can be found at: www.whitehouse.gov/omb/memoranda/fy2008/m08-22.pdf
- August 11, 2008: Interactive Schema and the Interactive Schema Interpreter is now available through NVD at nvd.nist.gov/interactive.cfm
- Minor update made to FDCC Reporting Format - update pertains to the Schematron Stylesheet, please reference the changelog for details.
- Version 1.0.2 of the SCAP Validation Program Derived Test Requirements Document has been released.
- All presentations from the Federal Desktop Core Configuration (FDCC) Implementers Workshop have been posted at: nvd.nist.gov/workshop.cfm
- January 24, 2008: Free Federal Desktop Core Configuration (FDCC)
Implementers Workshop held at NIST.
Workshop will address technical aspects of FDCC and corresponding Security Content Automation Protocol (SCAP) updates.
- January 21, 2008: XCCDF-based FDCC reporting format has been released. Specification and associated schematron stylesheet can be found at
nvd.nist.gov/scap/content/fdcc-reporting_20080108.zip
- October 16, 2007: The NVD CVSS V2 calculator has been updated to comply with the official CVSS V2 Specification.
For more information please see: NVD CVSS
- October 12, 2007: The Draft of XCCDF Specification 1.1.4 has been posted to the NVD XCCDF Webpage.
- September 27, 2007: NVD is now mapping into a cross section of the Common Weakness Enumeration (CWE). Please see the NVD CWE page for more details.
- September 19 and 20, 2007: The 3rd Annual IT Security Automation Conference was held at NIST.
Presentations from the conference can be found here: nvd.nist.gov/presentations.cfm
- August 6, 2007: A U.S. Office of Management and Budget memorandum
requires specific secure configuration settings for Microsoft operating systems and requires use of
SCAP validated tools to monitor system configurations over time.
- August 6, 2007: The Payment Card Industry
Data Security Standard
requires use of NVD Common Vulnerability Scoring System impact scores for use within approved scanning vendor tools.
- July 27, 2007: The National Vulnerability Database announces support for the Common Platform Enumeration
(CPE) standard for vendor and product naming.
- June 20, 2007: The National Vulnerability Database deployed support for the Common Vulnerability Scoring System
(CVSS) version 2.0.
- May 22, 2007: The National Vulnerability Database upgraded to version 2.0. NIST Checklist Program moved within NVD.
- Plans for the 3rd Annual Security Automation Conference and Workshop to be held Sept 19th & 20th, 2007 are under way.
- May 9, 2007: Released Windows XP Professional beta version 7 security automation files
- April 13, 2007: Released Windows 2000 Professional security automation files beta version 1 (XCCDF skeleton and patch content)
- April 5, 2007: Released Microsoft Internet Explorer Version 7.0 security automation files beta version 8
- April 5, 2007: Released Windows Vista security automation files version 5.0
- April 4, 2007: Released Windows 2003 Server security automation files version 2.0
- March 28, 2007: Released Microsoft Office 2007 security automation files beta version 4
- March 27, 2007: Released Symantec Antivirus security automation files beta version 2
Disclaimer Notice &
Privacy Statement / Security Notice
Send comments or suggestions to nvd@nist.gov
NIST
Computer Security Resource Center (CSRC)
NIST is an Agency of the
U.S. Dept. of Commerce
Full vulnerability listing