Common Vulnerabilities and Exposures, often known simply as CVE, is a list of publicly disclosed computer system security flaws. CVE is a public resource that is free for download and use. This list helps IT teams prioritize their security efforts, share information, and proactively address areas of exposure or vulnerability. Doing so makes systems and networks more secure and helps to prevent damaging cyberattacks. A basic understanding of what the CVE Project is and how CVE works can help organizations better take advantage of and to contribute to this resource.
(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)
The background of CVE
CVE was created in 1999 at a time when most cybersecurity tools used their own databases and their own names for vulnerabilities. Because the available products varied so widely, it was hard to figure out when different databases were referring to the same issue. This led to gaps in security coverage, making it hard to create any good system for interoperability between different databases and tools.
To address these issues, the CVE was developed to provide common, standardized identification. As such, it addressed these underlying concerns and made it possible for IT professionals to share information about vulnerabilities, working together to identify and address those issues. As a result, it’s become the industry standard for identifying vulnerabilities and exposures, and it’s endorsed by the CVE Numbering Authority, CVE Board, and many industry-leading products and services.
At its core, CVE provides reference points so that different products and services can communicate. This leads to interoperability and better security coverage. Further, it creates a basis for evaluating services, tools, and databases.
The CVE is maintained by the MITRE Corporation, a non-profit organization that manages federally funded research and development centers supporting U.S. government agencies. MITRE is responsible for maintaining the CVE dictionary and public website. This project is funded by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
Who leads CVE efforts
Much of the success of the CVE Project’s efforts has come from the fact that it has been a collaborative effort by the international cybersecurity community. This has enabled the list to be comprehensive, which, in turn, has led to more people using services and products that are compatible with CVE. The key players making contributions to the CVE are the CVE Numbering Authority, the CVE Board, and the CVE Sponsor.
The CVE Numbering Authority (CNA) assigns CVE identification numbers. CNAs are given a block of CVE numbers to hold in reserve and to assign as issues are discovered. There are generally about 100 CNA, and this group includes vulnerability researchers; vendors and projects; national and industry CERTS; and bug bounty programs.
The CVE Board is tasked with ensuring that the CVE Program meets the global cybersecurity community’s vulnerability identification needs. It oversees the CVE, provides input about the CVE strategic direction, and advocates on behalf of the CVE. The CVE Board includes cyber-security organizations, commercial security tool vendors, members of academia and research institutions, members of government departments and agencies, and security experts.
The SVE Sponsor is the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency. CISA is responsible for the funding of the CVE Project.
The basics of CVE in cybersecurity
CVE consists of a list of entries, each of which has an identification number, a description, and a public reference. Each CVE lists a specific vulnerability or exposure. Per the CVE site, a vulnerability is defined as a mistake in software code that gives attackers direct access to a system or network. This type of access allows an attacker to become a super-user or system administrator with full privileges. In contrast, an exposure is a mistake that gives an attacker indirect access to a system or network. This type of access allows an attacker to collect customer information to sell.
Broadly speaking, the CVE Project creates a system for identifying and organizing vulnerabilities and exposures. The first step for creating a CVE listing is identifying a vulnerability or exposure. Next, the vulnerability will be assigned a CVE identification number by the CNA. The CNA then writes a description of the issue and provides references. Finally, the completed CVE entry is added to the CVE list and posted to the CVE website.
CVE offers a single, unique identifier for each specific exposure or vulnerability. It’s worth noting that it’s more like a dictionary than a database. The description for each entry is brief and does not include technical data, information about specific impacts, or information about fixes. Instead, that information is found in other databases, for example, the U.S. National Vulnerability Database (NVD) or CERT/CC Vulnerability Notes Database.
Understanding CVE identifiers
When referring to CVE, people usually refer to a specific identification number. These common identifiers, referred to as CVEs, CVE IDs, or CVE numbers, allow for consistency when discussing or sharing information about specific vulnerabilities. CVE identifiers can be issued by CNAs or directly by MITRE. Thousands of CVE IDs are assigned each year, and a single complex project, like an operating system, can have hundreds of CVEs.
Vulnerabilities or exposures in need of a CVE identifier can be identified by anyone – a researcher, vendor, or even a savvy user. In fact, to encourage the disclosure of flaws, some vendors even offer “bug bounties.” That said, not all flaws are assigned a CVE. To be assigned a CVE ID, the issue must be:
- Independently fixable, meaning that it can be resolved independently of other bugs
- Acknowledged by the software or hardware vendor OR documented with a vulnerability report
- Affecting only one codebase. If a flaw is affecting more than one product, each is given its own CVE ID.
It’s worth noting that, to ensure that information in the CVE list is not exploited by cyberattackers, sometimes a CVE will be assigned before a public security advisory is issued. To reduce the risk of attacks once a vulnerability is identified, they are often kept secret until a fix has been developed and tested.
Benefits of CVEs
Creating CVEs benefits the cybersecurity community in a number of ways:
- Standardize identification. By creating a unique identifier for each vulnerability, cybersecurity professionals have a clear and consistent way to track these issues across tools, platforms, and organizations.
- Better communication. CVEs eliminate the confusion that occurs when people from multiple organizations discuss specific vulnerabilities.
- Improve interoperability. Because CVEs are widely trusted and used worldwide, they support compatibility across tools.
- Support collaboration and information sharing. Users and vendors can work together, simplifying the reporting of vulnerabilities, managing patches, and streamlining updates.
- Encourage proactive security. Organizations can continuously monitor vulnerabilities with access to CVEs and vendors have a clear incentive to disclose and fix issues.
- Evaluate security coverage. CVEs are useful in studying attack patterns and can be integrated with threat intelligence to help organizations become more aware and more prepared.
- Prioritize vulnerabilities. Vulnerabilities can be scored using the Common Vulnerability Scoring System (CVSS), so organizations can focus resources on critical risks first.
- Streamline access to information. With vulnerabilities in a centralized repository, users can search for and find them, reducing the time it takes to get information about threats.
- Support automation. Users can automate scanning for vulnerabilities and managing patches, saving time and effort.
The future of CVEs
The CVE Project is a great resource for all IT organizations to use. It’s especially important for researchers and product developers to utilize CVE entries and to use products and services that are compatible with CVE. Additionally, it’s important to always be looking for vulnerabilities in software and to share any that your organization finds when using open-source software. Further, it’s key to communicate about vulnerabilities internally and externally to help prevent attacks and to efficiently resolve issues.
While CVE entries are a great resource, it’s key to analyze all entries that apply to products your organization uses. Not all issues apply in all situations, and whenever they are applicable, it’s necessary to conduct vulnerability management in order to prioritize risks. The Common Vulnerability Scoring System (CVSS) is a popular way to determine how severe a vulnerability is and, subsequently, to prioritize cybersecurity efforts. The CVSS provides open standards to assign a number, or rating, to a vulnerability. These numbers range from 0.0 to 10.0, and the higher the number, the greater the severity. Using the CVSS or a similar system is a key aspect of vulnerability management and can help to effectively focus cybersecurity efforts.
