Redazione RHC : 22 July 2025 19:12
The primary goal of computer security is vulnerability management. In achieving this goal, CVE helps specialists, who are an integral part of the information security community.
If you’re a reader of RHC, you’ve probably heard this acronym before, but what does it mean specifically?
In this article, we’ll examine the definition and history of CVE and how this indicator is used by cybercriminals and ethical hackers.
The abbreviation CVE stands for Common Vulnerabilities and Exposures and is a database of commonly known information security vulnerabilities. The system is actively supported by the Federally Funded Research and Development Centers (FFRDCs) operated by the MITRE Corporation.
Because MITRE is a nonprofit organization, CVE is funded from the National Cyber Security Division (NCSD) of the United States of America.
Vulnerabilities are system flaws that create weak points within a computer infrastructure that can be exploited by an attacker.
Vulnerabilities can arise from anything from unpatched software to an unprotected USB port. Vulnerabilities could allow a user malicious by:
A A simple mistake allows a cyberattack on an organization. This can include the theft of sensitive data, which is then sold on the dark web.
Most cyber incidents are caused by security bugs and subsequent exploits that become public.
The original concept of the CVE database originated in a 1999 white paper titled “Towards a Common Enumeration of Vulnerabilities”, written by Steven M. Christie and David E. Mann of the MITRE Corporation.
Christie and Mann assembled a working group of 19 specialists and compiled an initial CVE list of 321 entries.
In September 1999, the registry became publicly available. Since the CVE was launched in In 1999, several information security companies added themselves to the vulnerability list. By December 2000, 29 organizations were participating in the initiative with 43 security bugs.
CVE was used as the starting point for the NISTNational Vulnerability Database (NVD).
CVE expands with each organization that joins MITRE as a contributor. A complete list of partners can be found at on CVE.org.
All CVEs are security flaws, but not all flaws are CVEs.
A flaw is declared by a CVE when it meets three criteria. Specific:
Aside from MITRE, CVE numbering can also be “baptized” by other entities called CVE Numbering Authorities (CNAs).
Each CVE vulnerability is assigned a number (CVE Identifier or CVE ID) by one of the 222 (currently) CVE Numbering Authorities (CNAs) in 34 countries.
According to MITRE, CNAs are represented by organizations ranging from software vendors and open source projects to bug-hunting service providers and research groups.
All of these organizations have the right to assign CVE identifiers and publish their records as part of the CVE program. Over the years, companies from various industries have joined the CNA program. The entry requirements are minimal and do not require a contract or a monetary contribution.
The international standard for CVE identifiers is CVE-xxxx-yyyyy.[xxxx] — the year the vulnerability was discovered. vulnerability. [yyyyy] is the serial number assigned by the respective CNAs.
Thousands of new vulnerabilities have been published every year since the program was founded in 1999.
At the time of writing, there are already 178,569 entries on the CVE list. This averages 7,763 vulnerabilities and impacts per year.
Of the more than 178,000 CVEs, more than half are owned by the top 50 software vendors worldwide. For example, Microsoft and Oracle have reported over 6,000 flaws in their products.
The CVE database was created to facilitate the exchange of information about known vulnerabilities between organizations.
CVE identifiers allow information security professionals to easily find information about Flaws in multiple authoritative sources using the same vulnerability identifier.
Furthermore, CVE provides a solid foundation for a company to understand the need to invest in increased security. An organization can quickly obtain accurate information about a particular exploit from multiple certified sources, allowing it to properly prioritize remediation.
Once a vulnerability becomes public, a cybercriminal has plenty of time to exploit it for malicious purposes. An attacker can exploit a bug before it is fixed by the software vendor.
Sharing information within the cybersecurity community is a reliable way to reduce the number of cyberattacks and introduce new cybersecurity solutions.
CVE is a necessary element in the journey to improving products and maintaining the protection of users and global businesses and is based on ethics and transparency.
If you have a 0-day, always think about it.
Redazione