1. The National Institute of Standards and Technology (NIST) in their NISTIR 8138 draft document defines a vulnerability as “any weakness in the computational logic found in products or devices that could be exploited by a threat source.”
2. The Open Web Application Security Project (OWASP) defines a vulnerability as “A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.
3. The Common Vulnerabilities and Exposures List (CVE®) defines a vulnerability in general as “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.”
We will focus our discussion on introducing the CVE organization and their definition of “vulnerability”
CVE is a cybersecurity database that collects and stores all types of cybersecurity vulnerabilities and exposures, giving each a serial number and making them publicly available for research and analysis. CVE is maintained by the MITRE corporation’s U.S National Cybersecurity Federally Funded Research and Development Center (FFRDC) and at present is the leading global database of vulnerabilities approved by the cybersecurity industry and corporate world.
Anytime a product, hardware or software, needs to be tested for security vulnerabilities, it is checked using the CVE website. When white-hat hackers or researchers discover vulnerabilities, they submit it to CVE who then announce it to the world with the goal of making users aware of the situation and push manufacturers to put their corporate responsibility into practice by developing a fix for the vulnerability.
An example of this process is when Google disclosed a vulnerability in Microsoft Internet Explorer and Edge web browsing software. In the incident Google’s team of security analysts, codename Project Zero, exposed a vulnerability in both 32-bit and 64-bit versions of IE as well as Edge that could lead to crashes in the browser along with remote attacks and/or take-over of the system’s hardware. Initially Project Zero revealed the vulnerability directly to Microsoft, giving the company 90 days to develop a patch to address the issue, but after Microsoft was unable to come up with a fix in the given amount of time Google revealed the bug to the public. The vulnerability itself was a so-called “type confusion flaw” that occurs in the HandleColumnBreakOnColumnSpanningElement parameter, and was eventually given the CVE serial number, CVE-2017-0037.
The current version of CVSS (CVSSv3.1) was released in June 2019.