FAQ

Yes, a CVSS score can evolve over time, especially if new information emerges. For example, a public exploit, a patch bypass, or evidence of active exploitation can lead analysts to revise the temporal score or even the base vector if an initial assessment error is detected.

In addition, automated tools like those from the NVD regularly update CVSS scores based on field data and publications. It is therefore recommended that companies periodically revalidate their analyses, especially for critical vulnerabilities.

No, CVEs do not only concern software. They can also cover vulnerabilities in hardware, firmware, IoT components, operating systems, and even certain dangerous default configurations. For example, flaws in routers, processors, or industrial equipment can also receive CVE identifiers.

This broad coverage allows for the consideration of different attack vectors in a modern information system. The key is that the vulnerability is documented, confirmed, and publicly reported to be included in the CVE program. This way, security teams can assess risks across the entire infrastructure.

No, the existence of a CVE does not guarantee that a patch is available. A CVE may be published before a vendor has developed a fix, or even in cases where no fix is planned (for example, for obsolete or no longer maintained software). In these situations, users must implement workarounds or disable certain vulnerable features.

It is therefore essential not only to consult the CVE, but also to check the recommendations of the vendors and databases such as the NVD or the KEV database, which can indicate whether a patch exists and within what timeframe it is expected. Good risk management takes into account both the severity of the vulnerability and the availability of solutions.

The process of publishing a CVE generally begins with the submission of a vulnerability report to a CNA or directly to MITRE. If the flaw is recognized as legitimate, a CVE identifier is reserved. At this stage, the CVE may remain "reserved" for some time, pending technical validation, agreement from the parties involved, or the availability of a fix.

Once all information has been verified, the CVE is made public via the official MITRE website (cve.org) and other platforms such as NVD (National Vulnerability Database) or CVE Find. It includes a short technical description of the vulnerability, the publication date, the affected products, and sometimes references to patches or security advisories.

To determine if a CVE is actively exploited, several information sources can be consulted. The most reliable is the KEV (Known Exploited Vulnerabilities) database maintained by the CISA, which lists CVEs whose exploitation has been confirmed in the wild. It is updated regularly and often used to establish remediation priorities. This information is directly accessible on our website CVE Find.

You can also rely on the EPSS score, which estimates the probability of a CVE being exploited within 30 days of its publication, based on real data. Finally, threat intelligence tools, CERT reports, or vendor security bulletins can also indicate whether a vulnerability is currently being used by attackers.

Yes, there is an official CVSS score calculator provided by the Forum of Incident Response and Security Teams (FIRST), which maintains the CVSS standard. It is accessible online at: https://www.first.org/cvss/calculator.

This calculator allows you to compose a vector by selecting the relevant metrics, and then automatically calculate the scores (base, temporal, environmental).

The CVSS (Common Vulnerability Scoring System) score measures the severity of a vulnerability by assigning it a rating from 0 to 10, where 10 represents an extremely critical flaw. It is designed to provide a standardized and objective assessment of vulnerabilities, so that organizations can compare them with each other and prioritize their remediation.

This score takes into account several aspects: the ease of exploitation, the potential effects on confidentiality, integrity and availability, as well as the conditions necessary for the attack. In summary, the CVSS helps to quantify the inherent level of danger of a security flaw.

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a known vulnerability in a computer system, software, or hardware. It allows for the precise naming and tracking of a flaw, even when it is addressed by different vendors, tools, or databases. Each CVE follows the format CVE-year-number, such as CVE-2023-12345.

The purpose of CVEs is to standardize communication about security flaws: instead of using variable descriptions, all actors can refer to the same identifier. This facilitates coordination between researchers, software publishers, security teams, and security solution providers.

A CVE (Common Vulnerabilities and Exposures) is a security flaw that has already been identified, documented, and published in an official database. It is known to the public, and generally, patches are in progress or already available. In contrast, a zero-day is a flaw that has not yet been disclosed, and therefore not recorded in a CVE at the time of its discovery.

In other words, any zero-day can become a CVE, but not all CVEs are zero-days. The major risk of a zero-day is precisely that it can be exploited before it is even reported, whereas a CVE is by definition a vulnerability in the process of being addressed or corrected.

A CVE is simply a public declaration that a flaw exists in a given product, while an exploited vulnerability means that an attacker is actively using this flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions: some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE - this is what is called a zero-day. To assess the real danger of a CVE, it is necessary to consult additional information such as the CISA's KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly from our website CVE Find.

CVSS is broken down into three sub-scores:

• Base Score: assesses the intrinsic severity of the vulnerability, independent of any context. It is generally public.
• Temporal Score: adjusts the score based on factors such as the availability of an exploit or patch. It reflects the maturity of the threat.
• Environmental Score: allows organizations to adapt the assessment to their own context (asset importance, exposure, business impact). It is customized to each company.

By combining these three layers, the CVSS model becomes a more flexible tool that allows for refining treatment priorities according to the reality on the ground.

CAPEC attack patterns serve to document the tactics and techniques used by attackers to exploit systems. By studying them, security analysts, developers, and architects can understand the objectives of an attack, its typical steps, and the vulnerabilities exploited. This allows them to anticipate threats and design more effective countermeasures.

They are also useful for training, risk analysis, attack simulation (red teaming), and the implementation of defensive security controls. By linking CAPECs to CWEs and CVEs, a complete chain can be established from weakness to concrete exploitation, which enriches threat modeling or security by design approaches.

The CVSS scale ranges from 0.0 to 10.0, and each value range is associated with a severity level:

• 0.0: None
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical

This classification allows organizations to filter vulnerabilities by severity, but it does not take into account the specific context of each company. That's why other criteria, such as active exploitation or the assets involved, should complement this assessment.

CVE identifiers are assigned by a US non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not distribute all identifiers alone: it relies on a network of partners called CNAs (CVE Numbering Authorities).

A CNA can be a software publisher, a security vendor, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or within its scope. This system accelerates the reporting of vulnerabilities while maintaining a centralized structure via MITRE.

The CVSS score is generally defined by the organization that publishes the vulnerability, often a CNA (CVE Numbering Authority) or the software vendor concerned. In addition, entities such as the NVD (National Vulnerability Database) sometimes recalculate or adjust scores to ensure consistency between published CVEs.

Automated tools also allow independent researchers, SOC analysts, or security vendors to recalculate a score based on the published CVSS vector. This means that the same CVE can have several slightly different scores depending on the context and the evaluator, which encourages cross-referencing sources for critical decisions.