The votes are in - and we have a new CVE numbering scheme!
------------------------------------------------------------------------
[Update 2013.8.1]
MITRE has prepared a page describing the change in CVE format.
The page is at the following:
CVE-ID Syntax Change
https://cve.mitre.org/cve/identifiers/syntaxchange.html
Stated on the site, this change is scheduled to take effect on January 1, 2014. This page describes some of the background behind the change and towards the bottom of the page there is a list of some frequently asked questions.
------------------------------------------------------------------------
Hello, this is Taki again and this is an update to a previous entry that I wrote on CVE identifiers.
For details on what CVE is, please refer to my previous entry or the CVE website.
As I wrote in my previous entry, CVE is undergoing a numbering scheme change and the editorial board voting has been completed.
After 2 rounds of voting, Option B was elected to be the new numbering scheme.
-
To review, Option B is as follows:
(http://cve.mitre.org/data/board/archives/2013-06/msg00000.html)
-----
(Directly from the above link)
To reprise, Option B specifies the following:
- Variable length
- 4-digit Year + four fixed digits for IDs up to 9999
- IDs 0001 through 0999 padded with leading zeros
- IDs over 9999 will expand as needed, no leading zeros
Examples:
- Four digit IDS (through 9999)
- CVE-2014-0001, CVE-2014-0999
- CVE-2014-1234, CVE-2014-9999
- Five digit IDS (> 9999)
- CVE-2014-10000, CVE-2014-54321, CVE-2014-99999
- Six digit IDS (> 99999)
- CVE-2014-100000, CVE-2014-123456, CVE-2014-999999
- Etc., as needed
-----
According to MITRE, this new scheme will become effective January 1, 2014.
Transition plans and other specifics will become available as time goes on.
If there are any developments, I will notify via this blog.
For any questions, please contact me at vultures(at)jpcert.co.jp
- Taki Uchiyama