Fluid Attacks is among the cybersecurity companies that, for findings and reports, work and stay up to date based on CVE identifiers. Thus, you can conveniently set a link between the information we provide you with and many other CVE-compatible sources for the benefit of your company’s security. Additionally, Fluid Attacks' red team, with its skillful ethical hackers dedicated to discovering zero-day vulnerabilities, is currently part of the CVE community that feeds the CVE List.
What is CVE?
CVE (Common Vulnerabilities and Exposures) is a free-to-use list of publicly known cybersecurity vulnerabilities. It was established in 1999 as an international dictionary with standardized identifiers for vulnerabilities — each record has an identification number, a description and public references. This project’s main objectives were to reduce the inconsistency between cybersecurity databases and tools (there was not much agreement on identifying security issues) and facilitate data sharing. Nowadays, CVE is incorporated into many products and services worldwide, and ensures certainty among stakeholders when communicating about vulnerabilities. It also provides a useful baseline for evaluating and comparing tools and services, especially with regards to their coverage.
The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) sponsors CVE. On the other hand, the American not-for-profit organization MITRE copyrighted the CVE List to keep it a free and open standard and legally protect its use. CVE is not a vulnerability database but feeds the NVD database (also sponsored by CISA) and others with data on all CVE Records. These records' IDs are like this one: CVE-2020-29659 (a vulnerability discovered by the Fluid Attacks team in 2020). And the information shown in their descriptions may comprehend some of these details: affected product/service, versions and vendors, the type of vulnerability, its impact and the code or inputs involved.
Being a standard method for identifying vulnerabilities and exposures, CVE does not delve into technical aspects and leaves them to the databases, which provide extended information for every CVE Record. CVE allows the connection of diverse elements oriented towards cybersecurity. So, when your company, for example, hires a security testing service and receives vulnerability reports with CVE Records, you can then access information in other tools, services or databases (compatible with CVE) to better understand and remediate the security issues.