When researching security vulnerabilities, you'll encounter two major sources: MITRE's CVE List and NIST's National Vulnerability Database (NVD). While both deal with CVEs, they serve different purposes and provide different levels of information. Understanding the distinction helps you use each resource effectively.
Quick Summary
MITRE CVE List:
- Assigns and maintains CVE IDs
- Provides basic vulnerability information
- Source of truth for CVE assignments
- Minimal enrichment
NIST NVD:
- Builds upon the CVE List
- Adds detailed analysis and scores
- Provides CVSS metrics
- Offers search and API capabilities
Relationship: NVD uses CVE as its foundation and enriches each entry with additional analysis.
What is MITRE's CVE List?
MITRE (Massachusetts Institute of Technology Research and Engineering) operates the CVE Program, which is the authoritative source for CVE identifiers.
What MITRE Provides
1. CVE ID Assignment
- Assigns unique CVE identifiers (CVE-YYYY-NNNNN)
- Coordinates with 350+ CVE Numbering Authorities (CNAs)
- Manages reserved CVE IDs before public disclosure
2. Basic Vulnerability Information Each CVE entry includes:
- CVE ID: Unique identifier
- Description: Brief explanation of the vulnerability
- References: Links to advisories, patches, research
- Status: Reserved, Published, Rejected, or Disputed
- Date Published: When publicly disclosed
3. CVE List Management
- Maintains authoritative CVE database
- Ensures ID uniqueness
- Handles disputes and corrections
- Manages CVE lifecycle
What MITRE Doesn't Provide
❌ CVSS severity scores ❌ Detailed technical analysis ❌ CWE (weakness type) mappings ❌ CPE (product) identifiers ❌ Advanced search capabilities ❌ Fix/patch information ❌ Exploit assessments
Example MITRE CVE Entry
CVE-2024-1234
Description:
Buffer overflow in Example Software 1.0-2.5 allows remote attackers
to execute arbitrary code via crafted input to the processData function.
References:
- https://vendor.com/security/advisory-2024-001
- https://github.com/example/security-fix
Status: Published
Date Published: 2024-03-15
That's it. Basic but essential information.
What is NIST's National Vulnerability Database?
NIST (National Institute of Standards and Technology) operates the NVD, which is a comprehensive vulnerability database built on top of the CVE List.
What NVD Provides
1. All CVE Information NVD imports every CVE from MITRE, so it includes:
- CVE IDs
- Descriptions
- References
- Publication dates
2. CVSS Scores NVD analysts calculate CVSS (Common Vulnerability Scoring System) scores:
- Base Score: Intrinsic vulnerability characteristics (0.0-10.0)
- Severity Rating: None, Low, Medium, High, Critical
- Vector String: Shows how score was calculated
- CVSS v2 and v3.x scores: Multiple versions for comparison
3. CWE Mappings Categorizes vulnerabilities by weakness type:
- CWE-79: Cross-Site Scripting (XSS)
- CWE-89: SQL Injection
- CWE-78: OS Command Injection
- Helps identify patterns and root causes
4. CPE Identifiers Specifies affected products in machine-readable format:
cpe:2.3:a:vendor:product:1.0:*:*:*:*:*:*:*
Enables automated vulnerability matching in scanners.
5. Configuration Details
- Affected versions
- Vulnerable configurations
- Platform specifics
- Prerequisites for exploitation
6. Enhanced References Additional links beyond MITRE's basic references:
- Patch announcements
- Vendor advisories
- Exploit databases
- Security research
7. Search and Analysis Tools
- Advanced search by CVSS score, CWE, vendor, product
- API access for automation
- Historical data and trends
- Visualizations and statistics
8. Data Feeds
- JSON and XML feeds
- CVE change logs
- Recent additions and modifications
- API for real-time access
Example NVD Entry
The same CVE with NVD enrichment:
CVE-2024-1234
Description: [Same as MITRE]
CVSS v3.1 Score: 9.8 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120 (Buffer Copy without Checking Size of Input)
CPE:
- cpe:2.3:a:example:software:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:example:software:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:example:software:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:example:software:2.5:*:*:*:*:*:*:*
References: [Extended list including exploit databases]
Published: 2024-03-15
Last Modified: 2024-03-16
Much richer information for security analysis.
Key Differences at a Glance
| Feature | MITRE CVE | NIST NVD |
|---|---|---|
| CVE ID Assignment | ✅ Primary source | ❌ Uses MITRE IDs |
| Basic Description | ✅ Minimal | ✅ Same + enhanced |
| CVSS Scores | ❌ No | ✅ Yes (v2, v3.x) |
| CWE Mapping | ❌ No | ✅ Yes |
| CPE Identifiers | ❌ No | ✅ Yes |
| Affected Versions | ⚠️ Limited | ✅ Detailed |
| Search Capabilities | ⚠️ Basic | ✅ Advanced |
| API Access | ⚠️ Limited | ✅ Comprehensive |
| Update Frequency | 🟢 Real-time | 🟡 Hours to days lag |
| Free Access | ✅ Yes | ✅ Yes |
Which Should You Use?
Use MITRE CVE When:
✅ You need the official CVE ID
- Assigning or reserving CVE IDs
- Verifying CVE exists and is valid
- Checking CVE status (reserved vs. published)
✅ You want the fastest information
- CVE published to MITRE first
- NVD enrichment takes time (hours to days)
✅ You need basic information only
- Just checking if CVE exists
- Looking up references quickly
- Don't need severity scores
Use NIST NVD When:
✅ You need severity assessment
- CVSS scores for prioritization
- Severity ratings (Critical, High, etc.)
- Risk-based vulnerability management
✅ You need detailed technical analysis
- CWE categorization
- Affected product versions
- Configuration details
✅ You're building security tools
- API access for automation
- Machine-readable CPE identifiers
- Data feeds for scanners
✅ You need comprehensive searching
- Search by CVSS score range
- Filter by CWE type
- Find vulnerabilities by vendor/product
✅ You're conducting research
- Historical vulnerability trends
- Exploit analysis
- Weakness pattern identification
How They Work Together
1. CVE Assignment (MITRE)
- Researcher reports vulnerability
- CNA assigns CVE-2024-1234
- Basic information published
2. CVE Ingestion (NVD)
- NVD automatically imports CVE-2024-1234
- Entry appears in NVD with basic info
3. Analysis (NVD)
- NIST analysts review vulnerability
- Calculate CVSS score
- Map to CWE
- Identify CPE for affected products
4. Enrichment (NVD)
- Enhanced entry published
- CVSS score available
- Additional references added
- Searchable by multiple criteria
Timeline: This process typically takes a few hours to a few days after initial CVE publication.
Practical Workflow
For Security Teams:
-
Monitor both sources
- MITRE for fastest CVE notifications
- NVD for actionable analysis
-
Use MITRE for awareness
- Subscribe to CVE feeds
- Get alerts on new CVEs
- Track reserved IDs for coordinated disclosure
-
Use NVD for prioritization
- Check CVSS scores
- Filter high/critical only
- Search for your product stack
- Integrate with scanners
-
Cross-reference both
- Verify CVE in MITRE
- Get scoring from NVD
- Check for updates in both
For Tool Integration:
- Vulnerability Scanners: Use NVD API for CVE details and CPE matching
- SIEM Systems: Ingest NVD data for correlation
- Patch Management: Query NVD for affected versions
- Threat Intelligence: Use both for comprehensive coverage
Important Considerations
NVD Enrichment Delays
2023 Backlog: NVD experienced significant delays analyzing CVEs due to funding and staffing issues. Some CVEs went months without CVSS scores.
Current State (2025): NVD has improved but occasional delays still occur during high-volume periods.
Workaround: Some vendors now publish their own CVSS scores rather than waiting for NVD.
CVSS Score Disagreements
Sometimes vendor CVSS scores differ from NVD scores:
- Vendors may score based on typical deployments
- NVD scores worst-case scenarios
- Both scores are valid from different perspectives
Best practice: Use the higher score for prioritization to be safe.
CVE Status Changes
CVEs can be:
- Rejected: Determined not to be valid vulnerabilities
- Disputed: Disagreement about validity or impact
- Updated: New information or corrections
Check both MITRE and NVD for status changes.
Other Vulnerability Databases
While MITRE and NVD are the primary sources, other databases provide additional value:
- VulnDB: Commercial database with more detailed analysis
- Exploit Database: Focuses on available exploits
- CVE Details: Community-driven statistics and trends
- GitHub Security Advisories: Open source specific vulnerabilities
- Vendor Databases: Microsoft, Red Hat, Ubuntu security advisories
These often reference CVE IDs but add vendor-specific or specialized information.
Conclusion
MITRE CVE is the authoritative source for CVE identifiers and basic vulnerability information. It's fast, official, and the foundation of the vulnerability ecosystem.
NIST NVD takes CVE data and enriches it with severity scores, technical analysis, and searchable attributes that make it actionable for security teams.
Use both:
- MITRE for awareness and speed
- NVD for analysis and prioritization
- Together they provide comprehensive vulnerability intelligence
Most security tools integrate with NVD because it provides the actionable data needed for automated vulnerability management. However, monitoring MITRE directly ensures you have the fastest possible notification of new vulnerabilities affecting your organization.
Need to search both databases? Our CVE Lookup tool queries the NVD API, giving you access to enriched CVE data with CVSS scores and detailed analysis.
