Does X-Force use CVE candidates, reserved CVE names, or rejected CVE names?
Yes, mostly. To assist our customers in finding valid security issues that have CVE names, X-Force uses all CVE names when we verify an association between a security issue and a CVE name. Here’s how we treat these special CVE names: CVE candidates – These are CVE names that have not yet been approved by the CVE reviewers. If X-Force learns of a valid security issue using a credible CVE candidate name, we will include it in the X-Force database. Reserved CVEs – Vendors and researchers may reserve a CVE name prior to the public disclosure of a security issue. At the time of public disclosure, it may take a few days for the CVE Web site to display the final description of the issue. Rejected CVEs – The CVE project occasionally rejects CVE names. X-Force documents and displays rejected CVE names to provide customers with complete information should they refer to an issue using the rejected CVE name.
