Colleagues, The CVE Program is pleased to announce the release of CVE Record Format 5.1.0<https://github.com/CVEProject/cve-schema/blob/master/README.md> (view release notes<https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0>) and CVE Services 2.3.0<https://github.com/CVEProject/cve-services/releases/tag/v2.3.0> (view release notes<https://github.com/CVEProject/cve-services/releases/tag/v2.3.0>). This newest version release of the CVE Record Format further enables additional vulnerability-related information to be included by CVE Numbering Authorities (CNAs)<https://cve.mitre.rip/ProgramOrganization/CNAs> in CVE Records<https://cve.mitre.rip/ResourcesSupport/Glossary?activeTerm=glossaryRecord> at the time of disclosure. CVE Services was updated to support this new version of the CVE Record Format.
As noted in the CVE Blog article "New CVE Record Format Enables Additional Data Fields at Time of Disclosure<https://cve.mitre.rip/Media/News/item/blog/2024/04/30/New-CVE-Record-Format-Enables-Additional-Data>," the CVE Program has "evolved its record format<https://cve.mitre.rip/AllResources/CveServices#CveRecordFormat> to enhance automation capabilities and data enrichment. This format, utilized by CVE Services<https://cve.mitre.rip/AllResources/CveServices>, facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record at the time of issuing a security advisory. This means the authoritative source (within their CNA scope) of vulnerability information - those closest to the products themselves - can accurately report enriched data to CVE directly and contribute more substantially to the vulnerability management process." CVE Record Format 5.1.0 furthers that effort with key enhancements. Updates for CVE Record Format 5.1.0 The key updates for the new release include: * Support for the Forum of Incident Response and Security Teams<https://www.first.org/>' (FIRST) Common Vulnerability Scoring System (CVSS) Version 4.0<https://www.first.org/cvss/v4-0>. CVE Records can be defined using the CVSS v2, v3, v3.1, and now v4 scoring standards * The versionType field now allows: * Single product identification (not just ranges) * Support for additional product identifiers including UPC, GTIN, GMN, Package URLs, and SKUs * Bug fixes including stricter validation to prevent typos in required and optional fields, as well as to prevent unexpected fields in various locations within the schema A complete list of updates is available in the release notes<https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0>. Terminology Change This release also marks a change in how the CVE Program will refer to the CVE JSON 5.x record format in all CVE-related communications, on the website, etc., moving forward. Beginning with this release, "CVE JSON 5.x" will now be referred to as the "CVE Record Format" even though it will continue to be based upon CVE JSON. The full title of this release is: "CVE Record Format Version 5.1.0". Updates for CVE Services 2.3.0 CVE Services<https://cve.mitre.rip/AllResources/CveServices> was updated to version 2.3.0 to support the release of CVE Record Format 5.1.0. A complete list of updates is available in the release notes<https://github.com/CVEProject/cve-services/releases/tag/v2.3.0>. Detailed Release Notes For more information on the features, bugs, etc., noted above, and additional compatibility considerations, please see the following on GitHub: * CVE Record Format Version 5.1.0 Release Notes<https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0> * CVE Services 2.3.0 Release Notes<https://github.com/CVEProject/cve-services/releases/tag/v2.3.0> Sincerely, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]
