Data Licensing

EEF CNA Content

All original vulnerability metadata authored and published by the EEF CNA is licensed under CC-BY 4.0 (Creative Commons Attribution 4.0 International).

This includes, in particular:

• EEF CNA OSV records
• the CNA container authored by the EEF CNA in CVE JSON records
• related original metadata published by the EEF CNA as part of its advisory process

You are free to share and adapt this material for any purpose, including commercially, as long as you give appropriate credit. See the CC-BY 4.0 legal text for details.

Other CVE Containers

A CVE record may contain ADP (Authorized Data Publisher) containers in addition to the CNA container authored by the EEF CNA.

Those non-EEF containers are not covered by the CC-BY 4.0 license above.

They remain subject to:

• the applicable CVE.org Terms of Use
• the rights and terms of the respective authors or publishers

Where a CVE JSON record contains content from multiple sources, only the content authored by the EEF CNA in the CNA container is licensed under CC-BY 4.0 by the EEF CNA.

Scope Clarification

For clarity:

• EEF-authored OSV records: CC-BY 4.0
• EEF-authored CNA container content in CVE JSON: CC-BY 4.0
• ADP containers: licensed under their respective terms and not relicensed by the EEF CNA

The EEF CNA only applies CC-BY 4.0 to vulnerability data for which it is the author or rights holder.

Questions

If you have questions about the licensing of EEF CNA data, please contact the EEF CNA maintainers.