Colleagues, As of March 29, 2023, the CVE Program achieved "hard deploy<https://cveproject.github.io/automation-cve-services-faqs#what-is-meant-by-cve-services-21-hard-deploy>" of the CVE Services<https://www.cve.org/AllResources/CveServices>/CVE JSON 5.0<https://www.cve.org/AllResources/CveServices#cve-json-5>/CVE JSON 5.0 Bulk Download<https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format> automation upgrade. Hard deploy means all issues with CVE Services "soft deploy<https://cveproject.github.io/automation-cve-services-faqs#what-is-meant-by-cve-services-21-soft-deploy>" have been addressed, and the CVE JSON 5.0 Bulk Download capability is available for community use. CVE Services/CVE JSON 5.0 Hard Deploy Both CVE Services and CVE JSON 5.0 are in active use by the CVE Numbering Authority (CNA)<https://www.cve.org/ProgramOrganization/CNAs> community. Please see the "CVE Services<https://www.cve.org/AllResources/CveServices>" page on the CVE.ORG website for the most current information about CVE Services and CVE JSON 5.0. Bulk Downloads in CVE JSON 5.0 Format Hard Deploy CVE Records<https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRecord> in CVE JSON 5.0 format<https://www.cve.org/AllResources/CveServices#cve-json-5> are now available for bulk download by the community. "Bulk download" means all CVE Records and updates are included in a single download file. CVE JSON 5.0 (view the schema<https://github.com/CVEProject/cve-schema>) is the new official data format for CVE Records and download files. Download files based upon CVE JSON 4.0 will be deprecated on or before December 31, 2023 (see the "Legacy Downloads Available for Limited Time Only" section below). These downloads enable development of custom applications for vulnerability management or analysis. To view individual CVE Records, please continue to use the CVE ID lookup search box at the top of all CVE.ORG<https://www.cve.org/> web pages. It provides equally fresh data. New Download Files Hosted on GitHub The new download files are hosted in the cvelistV5 repository<https://github.com/CVEProject/cvelistV5> on GitHub.com. The repository includes release versions of all current CVE Records generated from the official CVE Services API. View the repository ReadMe<https://github.com/CVEProject/cvelistV5/blob/main/README.md> for additional information and known issues. Baseline releases are issued once per day at midnight and posted on the cvelistV5 repository Releases<https://github.com/CVEProject/cvelistV5/releases> page in the following file name format: CVE Prefix-Year-Month-Day _ Greenwich Mean Time (GMT), (e.g., "CVE 2023-03-17_0000Z"). Hourly updates that include any additional CVE Records and/or other changes made since the baseline release are also provided on the Releases page using the same file name format, with time changes encoded at the end. How to Access the New Download Files All download files, including baseline and hourly releases, are available on GitHub, while a single download file of the most recent release is available from the CVE.ORG website. On GitHub: Experienced users of GitHub may use the traditional GitHub functions to maintain their own copy of the CVE List (e.g., "git clone<https://github.com/git-guides/git-clone>" with periodic syncs). In addition, users may download a zipped CVE List "baseline" that is updated at midnight (GMT) each day. A "modified" file is updated every hour that contains only the CVE Records that have been modified/added since the baseline. Each baseline and hourly release includes three items:
* ZIP file of all current CVE Records at midnight (e.g., "2023-03-28_all_CVEs_at_midnight.zip.zip") * ZIP file of all CVE Records added or modified since midnight (e.g., "2023-03-28_delta_CVEs_at_2200Z.zip") * Release Notes for the specific release that contains a text list of CVE Records that have been modified/added since midnight NOTE: The most current release<https://github.com/CVEProject/cvelistV5/releases> contains the most up-to-date CVE List content. Hourly updates contain only the most recent updates. On CVE.ORG: The most-current download file, which includes all CVE Records and updates, is always available from the Downloads<https://www.cve.org/Downloads> page on the CVE.ORG website as a single ZIP file: * main.zip<https://github.com/CVEProject/cvelistV5/archive/refs/heads/main.zip> Legacy Downloads Available for Limited Time Only Legacy format CVE List downloads<https://www.cve.org/Downloads#legacy-format> (i.e., CSV, HTML, XML, and CVRF), which are derived from CVE JSON 4.0, will remain available for download on the CVE.ORG website for a limited time. They will be deprecated on or before December 31, 2023. Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now. Questions? Please use the CVE Request Web Forms<https://cveform.mitre.org/> and select "Other" from the dropdown. Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]
