Content area
Full Text
CVE stands for Common Vulnerabilities and Exposures, a program launched in 1999 by MITRE, a nonprofit that operates research and development centers sponsored by the federal government. Its purpose is to identify and catalog vulnerabilities in software or firmware into a free “dictionary” for organizations to improve their security.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. It could allow an attacker to pose as a super-user or system administrator with full access privileges.
An exposure is a mistake that gives an attacker indirect access to a system or network. It could allow an attacker to gather customer information that could be sold.
The dictionary’s main purpose is to standardize the way each known vulnerability or exposure is identified. Standard IDs allow security administrators to access technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, within the Department of Homeland Security (DHS) Office of Cybersecurity and Information Assurance (OCSIA). MITRE, maintains the CVE dictionary and public website. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).
[Related: -->Over 6,000 vulnerabilities went unassigned by MITRE's CVE project in 2015]
The following questions and answers are adapted from the CVE website and from Kurt Seifried, director at the Distributed Weakness Filing (DWF) project, senior software engineer for Red Hat Product Security and a CVE board member
Is CVE just another vulnerability database?
No. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. CVE only contains the standard identifier number with status indicator, a brief description and references to related vulnerability reports and advisories. It does not include risk, impact, fix or detailed technical information. The US National Vulnerability Database...