Collaborative Vulnerability Metadata Acceptance Process (CVMAP)

Traditionally, the NVD has been responsible for providing assorted metadata to CVE records after they have been published to the CVE List. We refer to these efforts as "enrichment".

The data types currently supported in CVMAP:

• Common Vulnerability Scoring System v4.0 (CVSS v4.0)
• Common Vulnerability Scoring System v3.1 (CVSS v3.1)
• Common Vulnerability Scoring System v2.0 (CVSS v2.0)
• Common Weakness Enumerations (CWE)

These data types are referred to as submission categories within CVMAP.

As the CVE program has matured and evolved over time, a growing volume of CVE publications have shown that new systems of maintenance are needed to provide these data points in a timely fashion while maintaining consistency and quality. To support this need the NVD has initiated a new program for the submission of CVE metadata from CVE Numbering Authorities (CNAs) and Authorized Data Providers (ADPs) dubbed "CVMAP". Driven by data contributed to the CVE List by CNAs and ADPs the NVD will assess all information provided and associate metadata, if the information provided is consistent with the NVD enrichment team assessment the data contributors will be able to increase their acceptance level for that submission category. Once a data provider reaches the acceptance level of Provider, their information will instead be audited less often. This program should result in more consistent practices across the information security community when providing standards and text-based information, alleviate the strain caused by the growing volume of CVE publications on NVD enrichment efforts and continue to retain consistency and quality of information for all consumers of CVE data.

For more detailed information regarding CVMAP please review NIST.IR 8246 and the additional pages listed above.