What's the Difference Between CVE and CVSS?

If you’re involved in any way with your organization’s vulnerability management program, chances are you’ve encountered the terms CVE, CVSS, and NVD. Each of these are different, and each has a role in vulnerability assessment and management.

Defining CVSS, CVE and NVD

  • CVSS – The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability, and is an integral component of many vulnerability scanning tools.
  • CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
  • NVD – The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list.

Differences between CVSS and CVE

CVSS is the overall score assigned to a vulnerability. CVE is simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description, dates, and comments. The CVSS score is not reported in the CVE listing – you must use the NVD to find assigned CVSS scores.

Differences between CVE and NVD

The CVE list feeds into the NVD, so both are synchronized at all times. The NVD provides enhanced information above and beyond what’s in the CVE list, including patch availability and severity scores. NVD also provides an easier mechanism to search on a wide range of variables. Both CVE and NVD are sponsored by the US Federal Government and are available for free use by anyone.

The CVSS score consists of three components – Base Metrics, Temporal Metrics, and Environmental Metrics. The NVD database includes all disclosed vulnerabilities, and includes a corresponding CVSS score. This score is typically comprised of Base Metrics only. Displayed only as the CVSS score, the fact that the reported number comprises only one of three CVSS metric groups can be misleading.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility