Assignment of CVE IDs with 5 or more digits by January 13, 2015

["Steven M. Christey" <coley () mitre org>]

Based on recent discussion on oss-security and general interest, I thought 
it was important to clarify what is currently planned for issuing 5-digit 
CVE IDs by the dealine of January 13, 2015.

Currently, CVE-2014-9509 is our last allocated ID from 2014.  During 2015, 
we will continue to issue CVE-2014-xxxx IDs for other issues that were 
disclosed in 2014, but it is highly unlikely that we will cross the 
5-digit threshold by January 13.

We will still issue at least one valid 5-digit CVE-2014-xxxxx ID, and 
probably more, on January 13.  This is a one-time exception to our usual 
sequential allocation process.  We are doing this as a final "test" to 
ensure that CVE-using implementations can handle the syntax change.

We might also issue CVE IDs with more than 5 digits, since it is highly 
likely that some implementations will make a 5-digit assumption, even 
though an arbitrary number of digits is allowed by the syntax change, 
which went into effect more than a year ago.


Steve Christey Coley
CVE Editor