Vulnerability Data

Key Vulnerability Management Terminology

A cybersecurity vulnerability is a flaw in a computer system that enables an adversary to gain direct access to a network or system to compromise security and inflict harm.

Common Vulnerability Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is the database of such known cybersecurity vulnerabilities and exposures.

You can view the following information for all the asset types in all the vulnerability management stages:

  • The severity level reported by National Vulnerability Database
  • The package where vulnerability was found
  • The directory path to the package
  • The version in which the vulnerability was fixed

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is used to assess the severity of information security vulnerabilities. Each entry in the CVE database is assigned a corresponding CVSS score, which quantifies the severity of the vulnerability.

You can view the following information for all the asset types in all the vulnerability management stages:

  • The sources selected for score calculation.

    For example, National Vulnerability Database

  • The CVSS Score and version

  • The date when the vulnerability was discovered.

CISA Known Exploited Vulnerabilities (KEV)

The Known Exploited Vulnerabilities (KEV) Catalog maintained by CISA (Cybersecurity and infrastructure Security Agency). It is the list of software flaws that have already been exploited in the real-world.

You can view the following information for all the asset types in all the vulnerability management stages:

  • The date when the vulnerability was added to the KEV catalog
  • The deadline for when the vulnerability should have a fix
  • If the vulnerability has been used in any Ransomware campaigns

Exploit

An exploit is a software program created to identify and exploit security flaws or vulnerabilities present in a system.

You can view the following information for all the asset types in all the vulnerability management stages:

  • Link to the existing exploit PoC or source code
  • The date when the exploit was disclosed.

Exploit Prediction Scoring System (EPSS)

EPSS (Exploit Prediction Scoring System) is a data-driven metric developed by FIRST.org that estimates the likelihood of a vulnerability being exploited in the wild. EPSS scoring includes:

  • EPSS Score: Represents the probability (from 0 to 1) that a specific vulnerability will be exploited, allowing prioritization based on real-world risk. For example, a vulnerability with an EPSS score of 0.75 has a 75% probability of exploitation based on current threat data.

  • Percentile: Shows how the vulnerability ranks relative to others, offering context on its exploitation likelihood compared to the broader vulnerability landscape. For instance, if a vulnerability’s score places it in the 85th percentile, it ranks in the top 15% of vulnerabilities likely to be exploited, signaling it as a higher priority.

  • Timestamp: Indicates when the score was last updated, ensuring users are working with the most recent exploitability data for informed decision-making.

Calculation Context:

  • EPSS Score Calculation: Scores are generated using machine learning models that analyze historical exploitation data, exploit code availability, and other threat intelligence sources.
  • Percentile Calculation: Percentiles are determined by comparing this vulnerability’s score to the distribution of all vulnerability scores, clarifying its rank in the current risk landscape.