A vulnerability is a weakness that could be exploited or triggered by a threat source in internal controls, procedures for systems security, an information system, or implementation. A weakness is synonymous with deficiency and may result in security or privacy risks or both.
In cybersecurity terms, a vulnerability is a security exposure that exists in an operating system, in system software, or in an application software component. Each vulnerability can potentially compromise the system or network if exploited.
There are multiple publicly accessible databases of vulnerabilities, sometimes based on the version numbers of software. Common Vulnerabilities and Exposures (CVE) is a common means of enumerating publicly known information security vulnerabilities operated by The MITRE Corporation.
CVE identifiers assign each vulnerability with a unique name/number, The Common Vulnerability Scoring System (CVSS) is an open industry standard owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization.
CVSS 3.1 identifies the severity of a vulnerability based on the following metrics:
Base metrics
Impact metrics
A flaw may be the result of poor design or implementation mistakes, and results in unintended functionality. There are also temporal metrics (exploit code maturity, remediation level, and report confidence) and environmental metrics (modified base metrics and confidentiality requirement, integrity requirement, and availability requirement).
The Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses that have security ramifications. Weakness severity is scored using Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) and are based on base findings, attack surface, and environmental metrics. An attacker may exploit vulnerabilities, weaknesses, or user errors individually or combine them to carry out an attack. These metrics help incident response teams and cybersecurity professionals determine the threat level of a vulnerability and how to best address it.
The Sarbanes-Oxley Act (SOX) is a federal law designed to improve financial transparency and responsibility for U.S. public companies. It’s enactment in 2002 was prompted by several well-publicized accounting scandals established a number of standards for public companies to follow.
Learn More