As of January 1, 2014, MITRE implemented a change in the CVE ID syntax / format. Prior to that, IDs consisted of a year prefix and a four digit identifier. As vulnerability disclosures increased, there was a need for more than 10,000 IDs in a single year. After the change, an ID consisted of a year and a variable number, as many as seven digits in practice, but in theory could be more. The syntax now consists of:
CVE prefix + Year + Arbitrary Digits
In advance of this change, MITRE added several reserved sample CVE IDs explicitly for the purpose of stress-testing organizations that implemented CVE. The idea was to trigger errors in their implementations that would alert organizations that did not see the news of the syntax change. The following IDs were created for that purpose:
CVE-2014-9999
CVE-2014-99999
CVE-2014-999999
CVE-2014-54321
CVE-2014-456132
CVE-2014-123456
CVE-2014-10000
CVE-2014-100000
RBS adapted to the CVE ID change at the time and is compatible with CVE IDs of any format in the VulnDB product.
We are here to help! If you still have questions, you can submit a ticket from within the knowledge base or by emailing support@riskbasedsecurity.com.