FAQ

EPSS stands for Exploit Prediction Scoring System. It is a probabilistic model that assigns each vulnerability (typically identified by a CVE) a likelihood of being exploited within 30 days of observation.

The purpose of EPSS is to complement other evaluation systems (such as CVSS) by adding a dynamic and contextual layer based on real-world exploitation data. This helps organizations better prioritize their remediation efforts according to actual risk.

The CVSS (Common Vulnerability Scoring System) measures the severity of a vulnerability by assigning it a score from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective evaluation of vulnerabilities so that organizations can compare and prioritize them accordingly.

This score takes into account several aspects: ease of exploitation, potential effects on confidentiality, integrity and availability, as well as the conditions required to carry out the attack. In summary, CVSS helps quantify the inherent danger level of a security flaw.

CISA (Cybersecurity and Infrastructure Security Agency) is a U.S. government agency. It is responsible for protecting the critical infrastructure of the United States against cyber and physical threats, by providing support, tools, and recommendations to administrations, businesses, and the public.

In the cybersecurity field, CISA acts as a coordination center to prevent cyberattacks, respond to incidents, share threat information, and promote best security practices. Although based in the U.S., its role and resources influence cybersecurity practices worldwide, thanks to its transparency and leadership.

CISA plays a central role in managing vulnerabilities on a large scale. It identifies, evaluates, and actively communicates about security flaws that could impact critical infrastructure, including government services, essential service operators, and large enterprises. It often collaborates with MITRE, software vendors, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to major vulnerabilities, and sometimes mandates remediation deadlines for certain flaws in public entities through federal directives (BODs). Its goal is to reduce the time between the discovery of a vulnerability and its effective mitigation in the field.

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a known vulnerability in an information system, software, or hardware. It allows a flaw to be named and tracked precisely, even when addressed by different vendors, tools, or databases. Each CVE follows the format CVE-year-number, such as CVE-2023-12345.

The purpose of CVEs is to standardize communication about security flaws: instead of using inconsistent descriptions, all stakeholders can refer to the same identifier. This makes coordination easier between researchers, software vendors, security teams, and solution providers.

The CWE Top 25 is an annual list of the 25 most dangerous software security weaknesses. It is compiled by MITRE based on public data from the NVD (National Vulnerability Database) and other sources, by analyzing the frequency and impact of weaknesses linked to real CVEs.

This ranking is valuable for developers and security teams, as it highlights the most common and critical errors, such as injections, buffer overflows, or authentication issues. By focusing on these priority weaknesses, organizations can quickly improve their security posture, even with limited resources.

A CWE (Common Weakness Enumeration) is a standardized classification of weaknesses that can lead to vulnerabilities in software, firmware, or systems. Unlike CVEs, which refer to specific and documented vulnerabilities in a given product, CWEs describe types of design or programming flaws that can compromise a system’s security.

For example, a CWE might describe poor memory management, command injection, or insufficient input validation. These weaknesses can be found in multiple software products and may be linked to individual CVEs when exploited in real scenarios.

A zero-day vulnerability is a security flaw that is not yet known to the public or the software vendor. It is called 'zero-day' because the developers have had zero days to fix it at the time of discovery or exploitation. In other words, no protection or patch exists when the attack occurs.

These vulnerabilities can affect any component: operating systems, software, hardware, firmware, or web services. When identified by malicious actors before defenders, they pose a critical risk as they can be exploited silently and without immediate defense.

The CVSS scale ranges from 0.0 to 10.0, and each range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not consider the specific context of each company. That’s why other criteria, such as active exploitation or the affected assets, should be included in the evaluation.

CAPEC and CWE are two complementary databases maintained by MITRE, but they serve different purposes. CWE describes technical weaknesses in code or design (e.g., lack of input validation), while CAPEC describes attack methods that exploit these weaknesses (e.g., SQL injection).

In other words, CWE focuses on the cause, while CAPEC focuses on the attacker's action. The two can be linked: a CAPEC entry often specifies which CWE it targets, allowing the connection between the theoretical vulnerability, its practical exploitation, and the associated CVEs.

A CVE (Common Vulnerabilities and Exposures) is a security flaw that has been publicly identified, documented, and published in an official database. It is known and, in most cases, a patch is available or in progress. A zero-day, on the other hand, is a flaw that has not yet been disclosed, and therefore is not listed as a CVE at the time of discovery.

In short, every zero-day can become a CVE, but not all CVEs are zero-days. The main risk with zero-days is that they are exploitable before any public awareness, whereas CVEs are typically already under analysis or remediation.

A CVE is simply a public declaration that a flaw exists in a given product, whereas an exploited vulnerability means that an attacker is actively using that flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions—some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE—this is known as a zero-day. To assess the real danger of a CVE, one should consult additional information such as CISA’s KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly on our CVE Find website.

CVSS is divided into three sub-scores:

• Base score: evaluates the intrinsic severity of the vulnerability, regardless of context. It is usually public.
• Temporal score: adjusts the rating based on factors such as exploit availability or the existence of a patch. It reflects the maturity of the threat.
• Environmental score: allows organizations to adapt the evaluation to their own context (asset importance, exposure, business impact). It is customized for each company.

By combining these three layers, the CVSS model becomes a more flexible tool for refining remediation priorities based on real-world conditions.

The official source of the CAPEC database is the MITRE website. This portal allows users to explore all the attack patterns, categorized by type, complexity, target, or level of sophistication. Each entry is accompanied by precise definitions, examples, and links to other useful resources (CWE, ATT&CK, etc.).

The CWE classification helps standardize the understanding of security weaknesses in information systems. It helps developers, testers, and analysts identify common design or coding errors so they can be more easily avoided or corrected. Thanks to this taxonomy, security tools can produce coherent and actionable reports.

It is also very useful for training technical teams, evaluating detection tools, prioritizing risks, and complying with standards like ISO/IEC 27001. By integrating CWE into development processes, security can be significantly improved from the design phase onward.