If you’re involved in any way with your organization’s vulnerability management program, chances are you’ve encountered the terms CVE, CVSS, and NVD. Each of these are different, and each has a role in vulnerability assessment and management.
Defining CVSS, CVE and NVD
- CVSS – The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability, and is an integral component of many vulnerability scanning tools.
- CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
- NVD – The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list.
Differences between CVSS and CVE
CVSS is the overall score assigned to a vulnerability. CVE is simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description, dates, and comments. The CVSS score is not reported in the CVE listing – you must use the NVD to find assigned CVSS scores.
Differences between CVE and NVD
The CVE list feeds into the NVD, so both are synchronized at all times. The NVD provides enhanced information above and beyond what’s in the CVE list, including patch availability and severity scores. NVD also provides an easier mechanism to search on a wide range of variables. Both CVE and NVD are sponsored by the US Federal Government and are available for free use by anyone.
The CVSS score consists of three components – Base Metrics, Temporal Metrics, and Environmental Metrics. The NVD database includes all disclosed vulnerabilities, and includes a corresponding CVSS score. This score is typically comprised of Base Metrics only. Displayed only as the CVSS score, the fact that the reported number comprises only one of three CVSS metric groups can be misleading.