Glossary: CVE


What is CVE?

CVE, which stands for Common Vulnerabilities and Exposures, is an encyclopedia of  unique, publicly known security vulnerabilities and exposures maintained by the MITRE Corporation. The database, which was launched in 1999, is free and available for public use. In the CVE, a vulnerability is a mistake in the software which could be used by a hacker to infiltrate the application or network, while an exposure is a mistake that could be used as part of the process to accessing an app or network.

What Does CVE Do?

The goal of CVE is to give a standardized identifier for each vulnerability or exposure that has been disclosed publicly, allowing organizations to keep a close eye on security issues in their own applications. In addition to the use of the information to keep software free of known vulnerabilities, organizations are also able to use the database as a baseline to test security tools against the CVE.

When CVE was initiated, each security tools used their own vulnerability and exposure identifiers, making it impossible to test security tools against each other and making it hard to determine an organization's security posture, since each tool they used gave them different results. Using CVE identifiers in a testing environment enables smooth data exchange between developers and security product groups, and offers a baseline that can be used to evaluate testing tools and services that are concerned with application security.

CVE is used to provide a database of vulnerability management products and services that can be accessed to improve the overall security of deployment environments. It also provides a comprehensive listing of patch management products and services offered to developers and security and IT admins in order to help them keep their development and deployment platforms up to date and thus better protected against threats from vulnerabilities in those platforms.

CVE also offers a comprehensive list of data/event correlation services that alert you in the instance of new vulnerabilities being identified, yet there is some overlap with this list and the previous lists. Finally, there’s a good resource for identifying intrusion detection products and services on the CVE project website.

There is also support for the National Institute of Standards and Technology (NIST) security content automation protocol, designed to deliver inter-operable specifications for automated security testing.

CVE identifiers allow for the easy classification of vulnerabilities, which are given full descriptions that can be used to determine whether a specific vulnerability or exposure

Skip to content