FAQ

FAQ

CVE identifiers are assigned by a U.S. non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not assign all identifiers itself: it relies on a network of partners known as CNAs (CVE Numbering Authorities).

A CNA can be a software vendor, a security provider, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or scope. This system speeds up the disclosure process while maintaining a centralized structure via MITRE.

#CVE #CISA #CNA #MITRE

The EPSS model is developed and maintained by the FIRST (Forum of Incident Response and Security Teams) community, in collaboration with researchers, data analysts, and cybersecurity professionals. It is an open and collaborative project, with publicly documented methods and regularly updated results.

This model relies on large-scale statistical data and machine learning techniques. It is designed to be transparent, reproducible, and freely accessible, making it a reliable and practical tool for security teams worldwide.

#EPSS #FIRST

The CWE list is maintained by the MITRE Corporation, the same organization that manages the CVE program. MITRE is supported by the U.S. Department of Homeland Security (DHS) and other public and private entities to develop and maintain this knowledge base.

The community also plays a key role: researchers, vendors, governments, and industry members can propose new weaknesses, suggest modifications, or share feedback on the usefulness of existing entries. The database is public, freely accessible online, and constantly updated to reflect evolving technologies and attack techniques.

#CWE #MITRE

Cybersecurity professionals are the primary users of CAPEC: SOC analysts, penetration testers, security architects, developers, trainers, or threat intelligence teams. They use it to understand adversarial tactics, prepare test scenarios, and strengthen defenses.

For example, a pentester can use a CAPEC entry to structure a simulated attack based on a realistic scenario. A developer might find insights into design flaws to avoid. A CISO can integrate CAPEC into risk analyses to better illustrate the potential consequences of a technical weakness.

#CAPEC #SOC

CVEs play a central role in vulnerability management. They provide a common language for all cybersecurity stakeholders to track and document flaws, enabling prioritization of patches, automation of analysis, and structured threat monitoring. Without CVEs, each vendor or researcher might describe a flaw differently, making coordination difficult.

They are also used by vulnerability scanners, SIEMs, SOCs, and CISOs to establish incident response policies. Their global adoption ensures that flaws are identifiable and that defenses can be activated more quickly and in a coordinated manner.

#CVE

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on the flaws that present an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it highlights not only known flaws, but also the most critical and urgent ones. For U.S. federal agencies, remediation of these flaws is mandatory within strict deadlines. Beyond the U.S., the KEV list is widely consulted by cybersecurity professionals worldwide to guide their patch management strategies.

#CISA #KEV

Zero-day vulnerabilities are especially dangerous because they are unknown and unpredictable. Since no patch is available yet, vulnerable systems are exposed with no immediate solution. Traditional protections like antivirus or IDS/IPS may not detect the exploitation of a zero-day.

Due to their strategic value, zero-days are often used in targeted and stealthy attacks by organized cybercriminals or state-sponsored actors. They enable attackers to infiltrate systems, remain undetected, and exfiltrate or manipulate sensitive data.

#Zero-day

The CVSS score measures the intrinsic severity of a vulnerability, but not its actual exploitation or relevance in a specific environment. For example, a vulnerability may have a high score but be hard to exploit in your infrastructure, or conversely, a medium-score flaw might target a critical, unsegmented system.

To assess risk more accurately, it's important to include complementary indicators such as:

  • The EPSS score (probability of actual exploitation)
  • Inclusion in the KEV list (confirmed exploitation)
  • The business or technical context of the affected environment

Thus, CVSS should be viewed as an indicator of severity, not a complete risk assessment.

#CVE #CVSS

Search in FAQ

Categories

Cyber security
Cyber sécurité
Informations

Tags

#CAPEC #CISA #CNA #CVE #CVSS #CWE #EPSS #FIRST #IoT #KEV #MITRE #NVD #SOC #Zero-day
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.