This repository contains DWF assignments, one CSV file per year (it may be sharded in future if we have enough CVE assignments every year), one row per assignment.
The CVE ID assigned for this issue.
This field is mandatory.
The date this CVE was requested privately or publicly. Format is ISO 8601, timezone MUST be UTC, it can either be just a date ("2016-04-16"), or a date and time (2016-05-015T03:11:58Z).
This field is mandatory as part of the CNA feedback process. This date is assumed to fall in the UTC timezone for the purposes of when midnight is.
The date this CVE was assigned privately or publicly. Format is ISO 8601, timezone MUST be UTC, it can either be just a date ("2016-04-16"), or a date and time (2016-05-015T03:11:58Z).
This field is mandatory as part of the CNA feedback process. This date is assumed to fall in the UTC timezone for the purposes of when midnight is.
The date this CVE was made public. Format is ISO 8601, timezone MUST be UTC, it can either be just a date ("2016-04-16"), or a date and time (2016-05-015T03:11:58Z).
This field is mandatory as part of the CNA feedback process. This date is assumed to fall in the UTC timezone for the purposes of when midnight is.
The email address of the assigner or an email contact for the CNA/organization they work for.
This field is optional as some researchers prefer to stay anonymous.
The email address of the assigner or an email contact for the CNA/organization they work for.
This field is optional but strongly reccomended as part of the CNA feedback process.
A list of one or more CVE's that have replaced this entry and what the relationship is (e.g. a CVE split may break a single existing CVE into multiple CVEs). The format is RELATION:CVE, if there are multiple entries they are comma separated (the entire field is quoted). Valid relationships are currently:
- DUPLICATE_OF
- SPLIT_TO
- SPLIT_FROM
- MERGED_TO
- MERGED_FROM
- REJECT
This field is only used if the CVE is split/merged/found to be a duplicate or rejected.
Version of the entry, numeric, sequential (in case it is updated more than once in a single day for example), starts at 1.
This field is mandatory.
The date (YYYY-MM-DD) this entry was last updated.
This field is mandatory if the entry is updated (e.g. version is 2 or more).
The state of this CVE, valid states include:
- RESERVED
- PUBLIC
- CONFIRMED
- REJECTED
- REPLACED (see REPLACED_BY field for more details)
This is a short title for the issue, e.g. "Product Name v1.2.3 buffer overflow flaw in foo()".
This field is optional but strongly reccomended as part of the CNA feedback process.
It is the intent of the DWF Project that the data contained within the DWF-Database and the DWF-Database-Artifacts repositories be widely used (in licensing terms "redistributed") by vendors, security practitioners and any interested party. However we would ask that you abide by the terms of the Apache License which primarily require a copy of the license to be provided (so e.g. "Our database may contain content redistributed from the DWF Project under the Apache License, click here for a copy") and any altered data (e.g. a "Description" of a vulnerability) to be labled as altered (e.g. "This description has been altered from the original provided by the DWF").