CVE is a global system for uniquely identifying each security vulnerability bug disclosed to the public.
For example, the CVE number assigned to the Heartbleed bug is "CVE-2014-0160". The prefix is always CVE, the middle four digits are the year in which the vulnerability was publicly disclosed, and the final four digits is a sequence number; that is, the Heartbleed bug was the 160th security vulnerability publicly disclosed in 2014.
Flexera has referred to CVE numbers assigned by others for the vulnerabilities those others have publicly disclosed. However, Flexera would assign a CVE if/when we publicly disclose a vulnerability.
All cases, issues, incidents, bugs, and release notes created that refer to a security vulnerability should include the CVE number of the vulnerability. For example, just saying "this release resolves the security vulnerability in Struts 2" is ambiguous since there are dozens of security vulnerabilities in Struts 2. Instead, you should say something like "this release resolves the security vulnerabilities CVE-2014-0112 and CVE-2014-0113".