Removing a CVE from NVD

TL;DR

You can’t directly *remove* a CVE from the National Vulnerability Database (NVD). Once published, it remains. However, you can request that the NVD analysts re-evaluate the entry if you believe it’s inaccurate or contains errors. This might lead to changes or annotations, effectively mitigating its impact.

How to Request a CVE Re-evaluation

1. Understand Why You’d Want To: Common reasons include:
   • The vulnerability doesn’t exist.
   • It affects the wrong product or version.
   • The severity is incorrect.
   • Duplicate CVEs have been assigned.
2. Gather Evidence: This is crucial! You need solid proof to support your claim. Examples include:
   • Source code analysis showing the vulnerability isn’t present.
   • Vendor statements or advisories.
   • Detailed testing reports demonstrating the issue doesn’t occur.
   • Clear documentation of product versions affected (or not affected).
3. Use the NVD Vulnerability Reporting Form: This is the official channel.
   • Go to NVD Vulnerability Reporting.
   • Fill out all required fields accurately and completely. Pay close attention to the ‘Details’ section – this is where you present your evidence.
   • Select the appropriate reporting category (e.g., Incorrect Information, Duplicate CVE).
4. Provide Detailed Information in the Form: Be as specific as possible.
   • CVE ID: The CVE number you are questioning.
   • Product Name and Version: Clearly identify the affected product(s) and version(s).
   • Detailed Explanation: Explain *why* you believe the CVE is incorrect, referencing your evidence. Avoid vague statements like “This isn’t a real vulnerability.” Instead, say something like “Source code analysis (see attached file ‘source_code_review.pdf’) shows that the vulnerable function does not exist in version 2.5 of the product.”.
   • Supporting Documentation: Attach any relevant files (reports, source code snippets, vendor advisories).
5. Submit and Track Your Request: After submitting, you’ll receive a tracking number.
   • The NVD analysts will review your submission. This can take time – be patient!
   • You may receive requests for additional information. Respond promptly.
   • Check the CVE entry periodically to see if any changes have been made. Changes are usually indicated in the ‘History’ section of the CVE record.

What Happens Next?

The NVD analysts will investigate your claim. Possible outcomes include:

• CVE is Updated: The entry might be modified to reflect correct information (e.g., affected versions, severity).
• Annotation Added: A note may be added to the CVE record explaining the discrepancy or providing additional context.
• Request Rejected: If your evidence isn’t convincing, the request will be rejected. You can provide further information if you disagree with this decision.

Important Considerations

• No Guarantee of Removal: The NVD’s primary goal is to document vulnerabilities, not remove them. They focus on accuracy and completeness.
• Timeframe: Re-evaluation can take weeks or months.
• Focus on Accuracy: Provide the most accurate and comprehensive information possible to increase your chances of a successful outcome.