During the late 1990s, security professionals were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from the systems for which they are responsible.
There’s just one problem – each security vendor has its own database with little to no crossover. Each vendor’s tool generates its own alert for detected vulnerabilities, and these alerts must be manually cross-referenced between the tools to determine if they are separate issues or multiple alerts for the same issue.
This is the scenario which spawned the Common Vulnerability and Exposures, or CVE, List. In January 1999, David E. Mann and Steven M. Christey of The MITRE Corporation published “Towards a Common Enumeration of Vulnerabilities” at a workshop at Purdue University.
In addition to wanting to know if multiple tools had identified the same vulnerability or not, Mann and Christey had a desire to compare the breadth and depth of coverage provided by each tool. To facilitate these needs, their whitepaper proposed creating a unified vulnerability and exposure reference list that could be used across participating assessment/IDS tools: the CVE List.