CVE is a global system for uniquely identifying each security vulnerability bug disclosed to the public.

For example, the CVE number assigned to the Heartbleed bug is "CVE-2014-0160". The prefix is always CVE, the middle four digits are the year in which the vulnerability was publicly disclosed, and the final four digits is a sequence number; that is, the Heartbleed bug was the 160th security vulnerability publicly disclosed in 2014.

Flexera has referred to CVE numbers assigned by others for the vulnerabilities those others have publicly disclosed. However, Flexera would assign a CVE if/when we publicly disclose a vulnerability.

All cases, issues, incidents, bugs, and release notes created that refer to a security vulnerability should include the CVE number of the vulnerability. For example, just saying "this release resolves the security vulnerability in Struts 2" is ambiguous since there are dozens of security vulnerabilities in Struts 2. Instead, you should say something like "this release resolves the security vulnerabilities CVE-2014-0112 and CVE-2014-0113".

The database at http://www.nvd.nist.gov catalogs CVE numbers for all publicly disclosed security vulnerabilities. This database also shows the CVSS scores assigned to each vulnerability. See this knowledge base article for the definition of a CVSS score: CVSS (Common Vulnerability Scoring System).

See http://cve.mitre.org/ for more details.