What is a CVE?
CVE (Common Vulnerabilities and Exposures) is a freely available list of vulnerabilities that have been assigned a CVE ID. However, over time, CVE has also become the generic term used for the vulnerabilities on this list and that is the version of CVE discussed here ...
A CVE (always written in capitals) is a fix for vulnerabilities that occur in (some) software and hardware when it is released and/or updated.
CVEs are lodged (online) by people who have infiltrated the defences of software and hardware and found flaws that need to be patched, so as to make software and hardware secure.
CVEs are lodged with the National Cybersecurity FFRDC (NCF), which is operated by MITRE Corporation (MITRE has been publishing CVEs since 1999). The NCF makes the CVEs publicly available and distributes the information to other organisations (for free).
When a CVE is published it receives a 'CVE Identifier' (CVE ID) e.g. CVE-2019-10766. CVEs vary in severity and are given a CVSS (Common Vulnerability Scoring System) rating, based on a formula that approximates ease of exploit and the impact of exploit. Ratings range from 0-10, with 10 being the most severe (CVE-2019-10766 is rated 'critical' - 9.8).
Over 16,500 CVEs were lodged in 2018 and 15,000+ are projected for 2019. Keeping programs and networks up to date is essential to your cyber security. Vendors big and small release patches (Microsoft's Patch Tuesday occurs each month) but these releases can be delayed and it means you need to keep across 'update' notifications.
SecAlerts gives you peace of mind by informing you of patches - CVEs - as soon as they have been published, avoiding any delays. Enter your software stack and receive a free weekly report with a round-up of CVEs (& security news) unique to your stack: www.secalerts.co
Other terms concisely explained:
What is a CVE ID?
What is a vulnerability?
What is a CVSS?
What is a CNA?
What is a zero-day?
What is a bug bounty program?
What is CVE?
What is a Candidate Naming Authority?