Happy Birthday, CVE! – Naked Security


It was October 1999. Macs had just got embedded Wi-Fi, Napster had launched, and Yahoo had purchased Geocities for $3.6bn. Something else happened that escaped most computer users at the time: CVE posted its first bug. The Common Vulnerabilities and Exposures (CVE) system is 20 years old this week.

Created by the non-profit Mitre Corporation, which oversees several federal government programs, CVE provides common identifiers for cybersecurity bugs, making them easier to track and fix.

Back then, most cybersecurity bug tracking tools used their own databases and their own IDs for bug tracking. That made it difficult for people to collaborate on reporting and fixing them. CVE fixed this using its bug numbering system.

The CVE list couldn’t have come at a better time – 1999 was the year that widespread malware infections really took off. The CIH virus that appeared the year before dropped its first payload in 1999, In March, the Melissa worm devastated Office users’ machines around the world, setting the record for the most powerful malware so far.

The list started small but has grown to contain over 125,000 vulnerabilities. NIST’s National Vulnerabilities Database (NVD) is based on it, and Mitre also mines the vulnerabilities to produce a list of broader cybersecurity weakness categories known as the Common Weakness Enumeration.