Cybersecurity defense specialists need to agree on their terminology so they can collaborate to combat threats. We need to speak the same language. This is why we need the CVE database.
CVE stands for Common Vulnerabilities and Exposures. This is a publicly available glossary of known computer security vulnerabilities and system flaws that can be used to hack devices, systems or programs. Each entry includes CVE details – a unique serial ID number, a brief description, and at least one public reference. They can be accessed through the CVE website.
CVE Numbering Authorities (CNA) are organizations that assign CVE IDs to vulnerabilities. There are about 100 CNAs that include IT corporations, research institutions, security organizations, etc. The whole process is overseen by a non-profit CNA called Mitre Corporation, which manages government-funded research and development centres. Mitre is sponsored by the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
Any entity can identify a CVE vulnerability, but it must report it to a CNA as only the latter can assign it a CVE identifier. After receiving a vulnerability report, a CNA evaluates it, assigns an ID number and lists it as a CVE. The list only includes solved security issues to prevent hackers from using it to find new loopholes to exploit.
After being listed, the National Vulnerability Database evaluates each CVE’s severity and assigns it a severity index – a CVE Severity Analysis or CVSS score. This indicates how severe a CVE is on a scale from 0 to 10. The evaluation considers the complexity of the attack, the solution difficulty, the systems affected, etc. You can access the list on the NVD’s website.
CVE entries can have different statuses:
CNDs constantly update the CVE list as new vulnerabilities emerge daily. Even then, there probably still are unreported risks or ones that are included in other lists.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!