FAQ

The CVE publication process usually starts with a vulnerability report submitted to a CNA or directly to MITRE. If the flaw is confirmed to be legitimate, a CVE identifier is reserved. At this stage, the CVE may remain "reserved" for some time, pending technical validation, agreement from involved parties, or availability of a fix.

Once all the information is verified, the CVE is made public through MITRE’s official website (cve.org) and other platforms such as the NVD (National Vulnerability Database) or CVE Find. It includes a short technical description, publication date, affected products, and sometimes references to patches or security advisories.

CAPEC stands for Common Attack Pattern Enumeration and Classification. It is a structured knowledge base developed by MITRE that catalogs and describes known attack patterns used against information systems. Unlike isolated incidents, CAPEC outlines reusable strategies that attackers can use to exploit vulnerabilities.

Each CAPEC pattern is an abstract representation of malicious behavior: it explains how an attack is carried out, what type of weakness it targets, and the attacker’s objective. The goal of CAPEC is to help security professionals better understand, detect, and anticipate adversarial tactics.

The CWE Top 25 is an annual list of the 25 most dangerous software security weaknesses. It is compiled by MITRE based on public data from the NVD (National Vulnerability Database) and other sources, by analyzing the frequency and impact of weaknesses linked to real CVEs.

This ranking is valuable for developers and security teams, as it highlights the most common and critical errors, such as injections, buffer overflows, or authentication issues. By focusing on these priority weaknesses, organizations can quickly improve their security posture, even with limited resources.

CAPEC and CWE are two complementary databases maintained by MITRE, but they serve different purposes. CWE describes technical weaknesses in code or design (e.g., lack of input validation), while CAPEC describes attack methods that exploit these weaknesses (e.g., SQL injection).

In other words, CWE focuses on the cause, while CAPEC focuses on the attacker's action. The two can be linked: a CAPEC entry often specifies which CWE it targets, allowing the connection between the theoretical vulnerability, its practical exploitation, and the associated CVEs.

The official source of the CAPEC database is the MITRE website. This portal allows users to explore all the attack patterns, categorized by type, complexity, target, or level of sophistication. Each entry is accompanied by precise definitions, examples, and links to other useful resources (CWE, ATT&CK, etc.).

CVE identifiers are assigned by a U.S. non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not assign all identifiers itself: it relies on a network of partners known as CNAs (CVE Numbering Authorities).

A CNA can be a software vendor, a security provider, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or scope. This system speeds up the disclosure process while maintaining a centralized structure via MITRE.

The CWE list is maintained by the MITRE Corporation, the same organization that manages the CVE program. MITRE is supported by the U.S. Department of Homeland Security (DHS) and other public and private entities to develop and maintain this knowledge base.

The community also plays a key role: researchers, vendors, governments, and industry members can propose new weaknesses, suggest modifications, or share feedback on the usefulness of existing entries. The database is public, freely accessible online, and constantly updated to reflect evolving technologies and attack techniques.