The second vote for the CVE ID Syntax closed on May 22nd, 2013. The CVE
Editorial Board reached a voting quorum (18 voters from a pool of 23
eligible voters), and we reached a majority in favor of Option B.
The results were:
- 15 votes for the variable-length Option B
(e.g. CVE-2014-9999 and CVE-2014-12345)
- 3 votes for the 8-digit, fixed-length, revised Option A
(e.g. CVE-2014-00000001 and CVE-2014-12345678)
Because of comments received during the voting period, we provided an
opportunity for the Board to take up the question of rescinding the vote. In addition, we wanted to address with the Board a direct question of whether a change to the length of the 8-digit Option A might have led to a different result for the selection vote. There was no affirmation from the Board to either discuss rescinding the vote or to reconsider the length
specification of the revised and (by consensus vote) rejected Option A.
As of Thursday, June 6th 2013, Option B has been selected as the new ID
Syntax for CVE beginning 1 January 2014.
To reprise, Option B specifies the following:
- Variable length
- 4-digit Year + four fixed digits for IDs up to 9999
- IDs 0001 through 0999 padded with leading zeros
- IDs over 9999 will expand as needed, no leading zeros
- Four digit IDs (through 9999)
- CVE-2014-0001, CVE-2014-0999
- CVE-2014-1234, CVE-2014-9999
- Five digit IDs (> 9999)
- CVE-2014-10000, CVE-2014-54321, CVE-2014-99999
- Six digit IDs (> 99999)
- CVE-2014-100000, CVE-2014-123456, CVE-2014-999999
- Etc., as needed
We again want to express our sincere thanks and gratitude to the CVE
Editorial Board and other active participants for all of the discussion
and engagement as we went through this process. Your combined attention
and efforts have once again moved CVE forward, to the benefit of the
community as a whole.
As noted in an earlier message to the CVE Editorial Board, we will be working with the Board on communication strategies, documentation, strategies for how to issue new IDs, and other related items.
We will notify this list as things progress.
The MITRE CVE Team