CVE is a repository for openly reported information security flaws and exposures. The database includes entries with identification numbers, descriptions, and public references.
It was developed in 1999 when cybersecurity tools used their databases and names for vulnerabilities, creating a need for interoperability between different security solutions. CVE has since become widely embraced by cybersecurity tools and services, including patch management solutions.
The CVE System
The CVE List is a database of known cybersecurity vulnerabilities. It provides standardized ways to name them and makes it easier for people to use, compare and assess their systems against them. It is kept up by the MITRE Corporation, a nonprofit that oversees research and development facilities sponsored by the government, with assistance from the Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
CVE was created in 1999 to link vulnerability databases and tools and provide a standard way to identify known vulnerabilities. Its centralized repository is used by vendors, end-users, and researchers to track and monitor vulnerabilities over time.
When a new vulnerability is discovered, it’s reported to a CVE Numbering Authority (CNA) for inclusion in the CVE List. There are 240 CNAs worldwide, including software vendors, open-source projects, coordination centers, bug bounty service providers, and research groups. The CNAs are all part of the broader community that helps to contribute, assign and publish CVE IDs.
The CVE Numbering Authority
CVE numbers are a standard way to name security vulnerabilities. The system makes it easier for people to discuss vulnerabilities because they have one common name. They also are used in tools like QualysGuard so that you can scan your environment for those vulnerabilities.
A vulnerability is a software weakness that could give someone access to data or perform actions they shouldn’t be able to. These weaknesses can lead to unauthorized access, data breaches, and other severe threats.
The US Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the MITRE Corporation, a nonprofit corporation that runs federally supported research and development institutes, sponsor the CVE program. The program is governed by a CVE Board that oversees the policies, procedures, and infrastructure. CVE assigns IDs to new vulnerabilities through a CVE Numbering Authorities (CNAs) community. These include major IT vendors, open-source projects and coordination centers, software vulnerability researchers, and bug bounty service providers.
The CVE Board
The CVE Project is led by a 19-member CVE Board and six CVE Working Groups. Board members include:
- Cybersecurity tool vendors.
- Research organizations.
- Public security agencies.
- Industry and government stakeholders.
- Individuals (white-hat hackers) who submit vulnerabilities to the list.
The Board and WGs provide critical input on data sources, product coverage, operating structure, and strategic direction for the program. The CVE Board also reviews submissions from the community and determines whether to publish a vulnerability or not.
While CVE focuses on pinpointing vulnerabilities and providing unique identifiers that help IT professionals manage them across environments, CWE identifies the root causes of software weaknesses — including design flaws and implementation oversights.
There is growing agreement among cybersecurity experts that sharing information about vulnerabilities reduces attack vectors, helping to mitigate many cyber attacks. For instance, experts believe the ransomware WannaCry would have had much less impact if its EternalBlue vulnerability had been publicly shared.
The CVE Community
In a world of constant cyber attacks, it’s critical to practice vulnerability management, including identifying, classifying, prioritizing, mitigating, and patching vulnerabilities. Vulnerabilities can lead to data breaches, loss of revenue, and brand damage.
The CVE and associated scoring systems like the CVSS are valuable tools for this practice. However, the system is only effective when organizations can stay current on all the CVE announcements. A great way to do this is by following US-CERT’s CVE announcements page, which lists the latest releases ordered by severity.
There’s growing agreement in the infosec community that sharing information is good, with many organizations participating in the CVE board and CNAs. However, some believe that CVE programming is a mechanism for surveillance and discrimination, particularly against diaspora communities. For example, if someone professes that the United States is at war with Islam, they could be considered criminal and detained (German). This approach stigmatizes and alienates these communities and sows distrust of law enforcement.