Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Simple Guide to Common Vulnerabilities And Exposures 

Your Simple Guide to Common Vulnerabilities And Exposures 

As more and more businesses move online, it’s increasingly important to guard against security threats.

Although we all know that cyber-attacks are common, it can be tricky to determine which parts of your system are vulnerable to hackers.

Yet one in three breaches occurs due to unpatched vulnerabilities—so it’s crucial to find out where the weaknesses are and take action to fix them.

That’s why an accessible list of common problems and dangers is so useful to organizations – which is where CVE comes in.

In a moment, we’ll explain exactly what CVE is, but first, let’s look at what we mean by vulnerabilities and exposures.

What are vulnerabilities and exposures?

In cybersecurity, a vulnerability is any weakness in a computer system that could be exploited in a cyber attack.

It could allow an attacker to gain unauthorized access to the computer system and perform malicious actions—such as accessing system information, installing malware, or stealing, destroying, or modifying data. 

There are many different types of vulnerabilities, each with a different level of severity, depending on how dangerous the outcome is in the event it is exploited.

For example, a weakness in your customer support artificial intelligence system could lead to customer data being compromised.

An exposure is a mistake in software code or a configuration issue that allows an attacker to access a system or network.

Examples include running services for information gathering, running services that are a common attack point, and using applications that brute force methods could attack.

Attackers don’t have direct access, but exposure is typically a component of an attack that violates a security policy.

It often leads to a data breach or leak, with some of the world’s largest data breaches caused by accidental exposure rather than sophisticated cyber attacks.

CVE is a reference list of these vulnerabilities and exposures.

new security vulnerabilities each year-min
Image source

What exactly is CVE?

CVE stands for Common Vulnerabilities and Exposures. It’s a free directory of publicly-known vulnerabilities and exposures in software.

This helps organizations identify potential problems to improve their cyber security and data protection methods. 

CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware.

MITRE is a nonprofit organization that runs federally-funded research and development centers in the United States. It maintains the CVE list, website, and the CVE Compatibility Program.

CVE is sponsored by the US Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the US-CERT.

How does CVE work?

CVE assesses and categorizes vulnerabilities and exposures. It then makes the information publicly available so that organizations can use this data to protect their systems.

When a researcher or a company spots a new vulnerability or exposure, such as a flaw or design oversight in software or firmware, they submit them for addition to the CVE list. For instance, they might notice a weakness during beta testing in software testing.

CVE investigates potential listings using the Security Content Automation Protocol (SCAP), and researchers may be asked to provide evidence of how the vulnerability or exposure could be used in a cyber attack. The stronger the claim, the more likely it is to be accepted.

Potential CVEs reported by established vendors or other trusted parties are usually quickly added to the CVE list.

Accepted listings are known as CVE entries. Each entry is given a standardized CVE name or “identifier” for a particular vulnerability or exposure.

Each unique identifier follows the same format—the letters “CVE”, the year it was added to the list, and a four-digit serial number. For example, CVE-1999-0067.

CVE id
Image source

 Giving a standardized name to each vulnerability makes it easier and faster for security professionals to access information about specific threats across multiple information sources.

Each CVE entry also gets a brief description and a vulnerability report, which helps researchers find known cyber threats and attack signatures.

CVE identifiers may be assigned by MITRE, but they can also be issued by official CVE Numbering Authorities (CNAs). A request for a CVE identifier can be made for any vulnerability, although CVE gives priority to products, vendors, and product categories of participating CNAs.

What are CNAs?

CNAs are commercial organizations that identify and assign CVE identifiers and distribute them to researchers and security vendors for public announcements of new vulnerabilities and exposures.

Are currently 201 CNAs in 32 countries, including Apple, Linux, Adobe, IBM, and Microsoft.

CNAs include vendors, projects, national and industry CERTs, and vulnerability researchers. To become a CNA, you must have established vulnerability management practices and a vulnerability disclosure policy.

There are three types of CNAs:

  • MITRE, which is classed as the “primary” CNA;
  • Root CNAs, which cover a certain area or niche;
  • and the CERT Coordination Center, an emergency response team that can also assign CVE identifiers.

Root CNAs are often large companies like Apple and Microsoft that disclose vulnerabilities and exposures in their products. 

What is the CVSS?

Potential CVEs judged to have a strong claim will also be given a high Common Vulnerability Scoring System (CVSS) score.

The CVSS assesses a vulnerability’s severity and potential impact and assigns it a score based on that assessment. CVSS scores range from 0.0 to 10.0. The higher the number, the higher the degree of severity.

CVSS scores valuated from 0 to 10
Image source

Is CVE a vulnerability database?

No, it isn’t. Vulnerability databases include risk, impact fix, and other technical information in their entries, whereas CVE does not.

However, CVE is designed to allow vulnerability databases and other tools to be linked together so that you can access more data. It also enables you to make comparisons between security tools and services. 

If you want to use an official vulnerability database in conjunction with CVE, you can. For example, CVE is directly connected to the National Vulnerability Database (NVD).

Although they are two separate entities, all entries from MITRE are also available in the NVD.

Whenever a vulnerability or exposure is reported to CVE, MITRE sends the CVE identifier and a short description to the NVD, providing a more thorough security analysis.

Others include the Vulnerability Assessment Platform (Vulners), the largest correlated database of vulnerabilities and exploits. It has a regularly updated database with more than 70 sources.

Meanwhile, the Vulnerability Database (VulDB) documents all security vulnerabilities disclosed for electronic products, and CVE Details uses NVD’s data information alongside sources such as the Exploit Database. 

Where can I see the CVE list?

CVE is free to use and publicly accessible. Anyone can search, download, copy, redistribute, reference, and analyze the list—as long as they don’t modify any information.

It can be difficult to know which vulnerabilities might affect your organization. After all, the risks to a supplier of cold calling systems are very different from those who handle medical data.

Luckily, there are a number of useful tools that monitor any changes in the CVE list and let you know if you need to address a particular issue. Look out for security tools with CVE compatibility.

CVE Records search results
Image source

Could hackers use CVE to attack my organization?

Well, yes, technically, they could. Hackers are smart and getting smarter. But that’s exactly why taking all possible steps to protect your organization is so crucial—and why CVE is helpful.

Because CVE only shares publicly-known vulnerabilities and exposures, hackers likely know about them already (so CVE isn’t giving the game away). The list is really useful to help organizations know what they need to look out for.

By making it easier to share information about vulnerabilities and exposures, the whole community is made safer, and the risk of an attack is reduced.

Overall, most cybersecurity professionals agree that the benefits of CVE outweigh the potential risks.

How does CVE protect my organization against cyber threats?

It’s important to note that CVE does not list every vulnerability and exposure, which would be impossible. But, as we said a moment ago, sharing information between organizations is a great way to increase awareness of potential threats.

The centralized list and CVE identifiers mean researchers can quickly scan for a particular vulnerability or exposure and access information from various sources.

The CVE list is like an early-warning system, helping you to recognize threats and identify weaknesses that could leave your organization open to attack.

CVE also provides a useful benchmark for assessing the strength of your cyber security. And, because CVE enables you to compare different security tools and services accurately, you can use it to help you choose the most appropriate for your needs.

So, whether you want to check the security of your internal systems or the safety of your client’s payment information, you can protect customers at all stages of the sales funnel.


Jessica Day – Senior Director, Marketing Strategy, Dialpad

Jessica Day is the Senior Director for Marketing Strategy at Dialpad, a modern multi-channel call center platform that takes every kind of conversation to the next level—turning conversations into opportunities. Jessica is an expert in collaborating with multifunctional teams to execute and optimize marketing efforts for company and client campaigns. Here is her LinkedIn.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top