Falsehoods People Believe about CVE's
a year ago
- #vulnerability
- #CVE
- #security
- CVE is often incorrectly used interchangeably with terms like 'vulnerability', 'exploit', and 'security flaw'.
- Many believe a CVE is the same as a software vulnerability, which is false.
- Not all publicly disclosed vulnerabilities have a CVE assigned to them.
- A CVE being assigned does not necessarily mean a vulnerability exists.
- CVEs can be assigned for trivial issues, not just big, dramatic bugs.
- CVEs have been assigned for hardware vulnerabilities.
- A CVE is not always assigned to a single vulnerability or product.
- The year in a CVE ID does not always indicate the year the CVE was published.
- CVEs do not always include fixes, technical details, or CVSS scores.
- CVEs can be duplicates, withdrawn, or disputed.
- The number of CVEs a product has does not directly indicate its security level.
- CVE assignment is not always quick or guaranteed, even for vulnerabilities discussed at conferences.
- CVEs are not always assigned with agreement from both vendors and researchers.
- The CVE system is not free from politics or human error.
- CVE is not a government program or exclusive to the USA.