What Is the Common Vulnerabilities and Exposures (CVE) System and How Does It Relate to Third Party Cyber Risk
The Common Vulnerabilities and Exposures (CVE) System, launched in 1999, is a system that provides publicly recognized information related to vulnerabilities and exposures. It is operated by the MITRE Corporation and funded by the United States Department of Homeland Security.
CVE Identification Numbers
Within MITRE Corporation’s system, there are defined CVE Identifiers. These unique, common identifiers serve as ID numbers for publicly available security vulnerabilities that are found in public software. While vetting or reviewing suppliers’ vulnerabilities, having the CVEs will help you make educated decisions about that supplier.
There are three ways vulnerabilities can be assigned a CVE number:
1. The MITRE Corporation. The MITRE Corporation is the primary CVE Numbering Authority (CNA). It also functions as an editor, reviewing numbers submitted by other CNAs.
2. Software developer assignments. Many corporations assign CVEs for vulnerabilities related to their own products; for example, Microsoft may assign a number to vulnerabilities associated with its software.
3. Third-party assignments. Third-party coordinators, including the CERT Coordination Center, can assign CVE numbers in other scenarios.
It is important to assign CVE numbers as early as possible. They serve as a form of tracking, allowing all forms of documentation and discussion to reference this specific number.
Which Types of Vulnerabilities Are Included?
The CVE system is used for all forms of software that have been publicly released. This includes finished versions of software products, but also pre-release versions and betas, assuming they’ve been made public. Some forms of commercial software are included in this system, with a few exceptions; for example, custom-built software that is only used by one company would not be considered publicly released.
All entries in the CVE list rely on the same data fields. For example, there’s a standardized description of the issue briefly summarizing the nature of the vulnerability. There’s also a section for references which contains a list of URLs and other information relevant to the issue. Think of it as a “further reading” section.
The Benefits of the CVE System
There are many benefits to the CVE system, including:
Centralized management of vulnerabilities. One of the biggest advantages is that the CVE provides a centralized place where vulnerabilities can be managed and reviewed, regardless of their point of origin. If your organization uses many different software products from a range of different developers, you can rely on the CVE list to provide you with information on vulnerabilities in all of them. You don’t have to consult multiple databases to stay up-to-date.
Consistent evaluation. Because the MITRE Corporation serves as the functional “editor” of this list, you can rest assured that vulnerabilities are being evaluated consistently. You don’t have to worry that a vulnerability is getting skipped over due to poor management, or that duplicates and mistaken number assignments are muddling the list.
Common formatting and descriptions. Within the CVE, all entries offer the same data fields (for the most part). Once you are accustomed to reviewing CVE entries, it becomes easier to review. Additionally, you can compare vulnerabilities apples to apples, since they all rely on the same formatting.
Encouraged public sharing of knowledge. The very existence of the CVE system encourages the public sharing of information. When a company discovers a vulnerability with their published software, they’re incentivized to report that vulnerability. Many companies already have systems in place for identifying, cataloging and communicating information about vulnerabilities, but the CVE makes everything more streamlined—not to mention universal.
Research and better security. Of course, the most important benefit of the CVE is that it provides information about vulnerabilities and exposures to the people who need the information most—cybersecurity experts within organizations. You can use the CVE to research software products you’re considering for your business, proactively identify potential vulnerabilities and figure out solutions and workarounds before it’s too late.
The Risks of Publicizing Vulnerabilities
Intuitively, it may seem like a bad idea to publicize information about security flaws and vulnerabilities. After all, the list is publicly available—which means hackers and would-be cybercriminals have access to the list of vulnerabilities as well. If they were so motivated, they could use this list as a way to exploit these vulnerabilities and attack companies and individuals.
However, the cybersecurity community has gradually come to accept that the best path forward is transparency; in other words, it’s better to publicize the information related to vulnerabilities than it is to try and keep things hidden. There are risks and downsides to this approach, but the potential benefits far outweigh these risks and downsides.
One key point here is that it takes far longer for an organization to make efforts to patch or guard against a vulnerability than it takes for a hacker to exploit it. Therefore, it’s vital to circulate information about vulnerabilities as early and efficiently as possible.
It’s also important to recognize that the CVE only lists security vulnerabilities that are already publicly known. In other words, sufficiently skilled and resourceful hackers already know about these vulnerabilities anyway; they can’t use the CVE list to gain a meaningful advantage.
Accessing the CVE List
MITRE makes the CVE list publicly available so you can access it at any time, for any purpose. You can download the full CVE list here, or use the CVE site to search for a specific CVE. Downloads are available in many formats, including CSV, HTML, text and XML.
How Panorays Can Help
With the Panorays platform, you have full visibility of any CVEs related to your suppliers’ vulnerabilities. Our automated platform quickly and easily automates third-party security risk evaluation and management — handling the whole process from inherent to residual risk, remediation and ongoing monitoring.