CVE Rejected

A CVE has the status REJECTED when it was and will not be published by a CNA.

When are CVEs Rejected

There are two possibilities when a CVE is defined as REJECTED:

  1. The CVE is RESERVED and shall not be published
  2. The CVE was published but shall be revoked

Rejected Status Remains

According to the CNA Rules it is not possible nor allowed to change the status REJECTED to something else. In very rare cases this happened with CVEs of other CNAs in the past.

Prevent Rejected CVEs

We are not a CVE Database but a Vulnerability Database. This is why we do not add rejected CVEs to our database whenever possible as these are not vulnerabilities.

A request for such a CVE on our platform (e.g. via API or using the search feature) is not able to return a vulnerability entry.

If a CVE gets rejected and revoked after we have added it to the database, we will flag is as a duplicate via the field entry_replacedby or as false-positive via the field advisory_falsepositive.

If we Reject a CVE Request

If we are approached as a CNA to assign a CVE and we accept the vulnerability but have to reject the CVE assignment, the entry will be listed in our CNA view for Rejected Items.

We do not revoke nor reject correct vulnerability data.

Do you need the next level of professionalism?

Upgrade your account now!