Sentibee
The Brief/Guide

CVE, CVSS, EPSS—what a mouthful!

When you step into the cybersecurity world, you’re quickly bombarded with all kinds of acronyms. Let’s demystify the ones related to vulnerabilities.

Mickaël Walter
Plane Cockpit

Photo by Arie Wubben on Unsplash

It is easy to feel overwhelmed when you first start managing vulnerabilities and deploying patches. The field is vast, and the terminology alone is enough to intimidate even the bravest of beginners. Here’s a brief overview to help you get started.

Vulnerability Stakeholders

Let’s start by identifying who the stakeholders are. Understanding each party’s interests is essential to grasping the essence of the standards.

We can divide the stakeholders into several non-exclusive categories:

  • Vulnerability discoverers,
  • Software (and hardware) vendors,
  • Users and their IT teams,
  • Incident response teams,
  • Intermediaries.

These different stakeholders need to coordinate. The discoverer of a vulnerability needs to report it, and vendors and users need to be aware of it in order to fix it.

This is why several coordination initiatives have emerged, created by intermediaries such as associations to provide tools. These have since established themselves as de facto standards.

Common Vulnerabilities and Exposures

This is the reference database.

The CVE program maintains a vulnerability database populated by CVE Numbering Authorities (CNAs). CNAs can be all kinds of organizations, such as software vendors or national entities. They are the ones who report the existence of a vulnerability to the community through the program.

The database itself is maintained by MITRE (an American nonprofit organization) with funding from the U.S. government.

Website: https://www.cve.org

National Vulnerability Database

The NVD is often mentioned in vulnerability-related news. So much so that it is sometimes confused with the CVE program.

Its purpose is to provide an authoritative database for U.S. organizations. It is maintained by the U.S. National Institute of Standards and Technology (NIST).

It is a valuable resource because it supplements the information found in CVE records. However, the dedicated team is finding it increasingly difficult to keep up with the fast pace.

Website: https://nvd.nist.gov

Common Vulnerability Scoring System

A CVE entry is a report on a vulnerability. However, it is often written in technical terms that make it difficult to fully grasp the implications.

CVSS provides an assessment of a vulnerability’s severity in the form of a score ranging from 0.0 to 10 (low severity to high severity). It takes into account numerous factors across three major metrics:

  • The base metric,
  • The temporal metric,
  • The environmental metric.

The first evaluates the intrinsic severity of the vulnerability: the purely technical aspect. The second evaluates severity in light of what is happening in the field, such as the active exploitation of the vulnerability by malicious actors. The final metric allows everyone to take their own environment into account.

Temporal and environmental metrics are generally quite complex to maintain. CVE records usually contain only the base score. Unfortunately, this is insufficient for most use cases.

At Sentibee, we go beyond the severity score to provide the actual vulnerability remediation priority. We take into account all the factors with our experience in incident response.

Contact us to talk about it!

CVSS is a tool maintained by FIRST, a consortium of incident response teams.

Access the score calculator.

Exploit Prediction Scoring System

The EPSS is another tool developed by FIRST. It assesses the likelihood that a vulnerability will be exploited within the next 30 days. A score close to 1 indicates that a vulnerability is attracting significant attention from malicious actors!

Unlike CVSS, the EPSS is a highly dynamic score that can change several times a day. It allows for a more in-depth assessment of a patch’s priority beyond the vulnerability’s intrinsic severity.

You can find excellent summaries on their website. It’s also clear that not all vulnerabilities are created equal.

Conclusion

We’ve only scratched the surface of all the tools at our disposal for assessing vulnerabilities that come through our monitoring process.

At Sentibee, we use all these tools and combine them to distill the data into clear, resolution-focused insights tailored to your specific environment.

Even though these acronyms aren’t really all that mysterious, using them effectively is a skill in itself!

Share

Stay informed

Receive our latest articles and analyses directly in your inbox.