What Is A CVE?

This is the sixth entry in a series of cybersecurity themed articles; stay tuned for more if you’re enjoying this content!

In the world of technology, things change FAST. As vulnerabilities with software are discovered, that software’s user base needs to be notified of these issues and presented enough information about the issue to take action to mitigate it if possible and/or necessary. This information is typically presented as a Common Vulnerabilities Exposures (CVE) report on MITRE’s CVE website.

The CVE concept was not a new idea at its inception, but it was a novel use of such data; aiming to create a public list of known vulnerabilities and exposures which could be read by anyone and used to keep the internet as secure as possible. This list could be used to link together vulnerability databases and other capabilities in order to facilitate the comparison of security tools and services. This program is administered by the MITRE corporation and sponsored by the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

Though a CVE report contains a brief description of each issue and references to related vulnerability reports, they do not contain data like risk, impact, suggested fix, or detailed technical information about the vulnerability. This data is typically stored in a different list, the National Vulnerability Database (NVD), with a link to the NVD entry contained in the CVE entry. Using the CVE ID for a particular issue, a company can quickly see links to various security tools and services which may provide differing methods for mitigating a vulnerability, evaluate them all, and pick which is best for their use case.

The next time you read about a security vulnerability, why not search for that vulnerability’s associated CVE and see for yourself how the process works?

Stay safe out there!

Leave a Reply