FAQ

The process of publishing a CVE generally begins with the submission of a vulnerability report to a CNA or directly to MITRE. If the flaw is recognized as legitimate, a CVE identifier is reserved. At this stage, the CVE may remain "reserved" for some time, pending technical validation, agreement from the parties involved, or the availability of a fix.

Once all information has been verified, the CVE is made public via the official MITRE website (cve.org) and other platforms such as NVD (National Vulnerability Database) or CVE Find. It includes a short technical description of the vulnerability, the publication date, the affected products, and sometimes references to patches or security advisories.

CAPEC stands for Common Attack Pattern Enumeration and Classification. It is a structured knowledge base developed by MITRE that lists and describes known attack patterns used against computer systems. Unlike isolated incidents, CAPECs describe reusable strategies used by attackers to exploit vulnerabilities.

Each CAPEC pattern is an abstract representation of malicious behavior: it explains how an attack is carried out, what type of weakness it targets, and for what purpose. The goal of CAPEC is to help security professionals better understand, detect, and anticipate the tactics used by attackers.

The CWE Top 25 is an annual list of the 25 most dangerous software security weaknesses. It is compiled by MITRE using public data from the NVD (National Vulnerability Database) and other sources, analyzing the frequency and impact of weaknesses associated with real-world CVEs.

This ranking is valuable for developers and security teams because it highlights the most common and critical errors, such as injections, buffer overflows, or authentication problems. By focusing on these priority weaknesses, organizations can quickly improve their security posture, even with limited resources.

CAPEC and CWE are two complementary databases maintained by MITRE, but they do not have the same objective. CWE describes technical weaknesses in code or design (e.g., lack of input validation), while CAPEC describes attack methods that exploit these weaknesses (e.g., SQL injection).

In other words, CWE focuses on the cause, while CAPEC focuses on the attacker's action. The two can be linked: a CAPEC pattern often specifies which CWEs it targets, making it possible to link the theoretical vulnerability, the practical exploitation, and the associated CVEs.

The official source of the CAPEC database is the MITRE website. This portal allows you to explore all patterns classified by attack type, complexity, target, or level of sophistication. Each record is accompanied by precise definitions, examples, and links to other useful resources (CWE, ATT&CK, etc.).

CVE identifiers are assigned by a US non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not distribute all identifiers alone: it relies on a network of partners called CNAs (CVE Numbering Authorities).

A CNA can be a software publisher, a security vendor, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or within its scope. This system accelerates the reporting of vulnerabilities while maintaining a centralized structure via MITRE.

The CWE list is maintained by the MITRE Corporation, the same organization that manages the CVE program. MITRE is supported by the U.S. Department of Homeland Security (DHS) and other public and private stakeholders to develop and update this knowledge base.

The community also plays a key role: researchers, publishers, governments, and industry professionals can propose new weaknesses, suggest modifications, or share feedback on the usefulness of existing entries. The database is public, freely accessible online, and continuously enriched to reflect the evolution of technologies and attack techniques.