Leebert [soylentnews.org] writes:
Common Vulnerabilities and Exposures (CVE) is a standard identifier for referencing known security vulnerabilities in the information security world. The identifiers are broadly used in security products such as vulnerability scanners, providing a convenient way of cross-referencing data between various tools and databases. For most of its existence, the CVE Identifier for any given vulnerability has been in the format CVE-YYYY-NNNN, where YYYY is the year the identifier was assigned, and NNNN is an incrementing fixed-width number that restarts every year.
Because the time is fast approaching where there will be more than 10,000 CVE Identifiers assigned in a year, the
CVE Identifier syntax has been updated to support variable-length numbers [mitre.org] which is likely to pose a problem for applications which have not been updated to permit more than 4 digits in the identifier. The change was
adopted in July of last year [mitre.org], taking effect on January 1, 2014.
Personally, it sometimes feels to me that CVE identifiers are being wasted on silly things like
esoteric mobile apps [mitre.org], but I concede that running out of numbers is an inevitability regardless of the editorial stance of the CVE Editorial Board.
Original Submission