Understanding Software Vulnerabilities

Vulnerabilities are flaws in software or systems that attackers can exploit to compromise confidentiality, integrity, or availability. Knowing how they are discovered, cataloged, and scored helps you prioritize remediation.

What You'll Learn

• How vulnerabilities move from discovery to public disclosure
• How CVE identifiers and CVSS scores describe weaknesses
• What to consider when you prioritize fixes

---

1. Overview

Vulnerabilities emerge through research, testing, and real-world incidents. Security teams use standardized identifiers and scoring to communicate risk and coordinate fixes across vendors and customers.

2. Discovery and Disclosure

• Discovery: Issues surface via security research, bug bounty submissions, internal testing, or incident response.
• Coordinated disclosure: Researchers notify vendors, vendors verify and develop fixes, and details are published alongside patches.
• Tracking: Eligible issues receive CVE identifiers to keep references consistent across tools and advisories.

3. CVE Basics

• CVE provides a unique ID (CVE-YYYY-NNNN), short description, and references for each tracked vulnerability.
• CVE Numbering Authorities (vendors, research orgs, CERTs) assign IDs and submit records to the program.
• Entries include affected products, versions, and vulnerability types to standardize downstream scanning.

4. CVSS Scoring

• CVSS rates severity from 0.0 to 10.0 using base metrics such as attack vector, complexity, privileges required, user interaction, scope, and impact.
• Severity bands: Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9).
• CVSS does not capture business context or exploit activity, so combine scores with threat intelligence and asset criticality.

5. Vulnerability Types

• Code flaws: Buffer overflows, injection issues, logic errors, cryptographic weaknesses.
• Configuration issues: Default credentials, excessive permissions, unnecessary services, disabled controls.
• Dependency risks: Outdated or compromised third-party components and transitive dependencies.
• Infrastructure weaknesses: OS, network protocol, firmware, or hypervisor flaws.

6. Assessing Risk

• Prioritize using severity, exploit availability, and how exposed the asset is (internet-facing vs. internal).
• Factor in business criticality and compensating controls to adjust urgency.
• Re-scan and report regularly to confirm remediation and track program trends.