Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide to Using Vulnerability Naming Schemes



David A. Waltermire, Karen Scarfone


This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). Draft SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recommendations for end-user organizations on using their names. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings. [Supersedes SP 800-51 (September 2002):]
Special Publication (NIST SP) - 800-51 Rev 1
Report Number
800-51 Rev 1


CCE, Common Configuration Enumeration, Common Vulnerabilities and Exposures, CVE, SCAP, security automation, security configuration, Security Content Automation Protocol, vulnerabilities, vulnerability naming


Waltermire, D. and Scarfone, K. (2011), Guide to Using Vulnerability Naming Schemes, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 25, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created February 25, 2011, Updated May 4, 2021