Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Vulnerability (computer security)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Assessment, disclosure, and inventory== ===Assessment=== A commonly used scale for assessing the severity of vulnerabilities is the open-source specification [[Common Vulnerability Scoring System]] (CVSS). CVSS evaluates the possibility to exploit the vulnerability and compromise data confidentiality, availability, and integrity. It also considers how the vulnerability could be used and how complex an exploit would need to be. The amount of access needed for exploitation and whether it could take place without user interaction are also factored in to the overall score.{{sfn |Strout |2023|pp=5-6}}{{sfn|Haber |Hibbert|2018|pp=73-74}} ===Disclosure=== Someone who discovers a vulnerability may disclose it immediately ([[Full disclosure (computer security)|full disclosure]]) or wait until a patch has been developed ([[Coordinated vulnerability disclosure|responsible disclosure]], or coordinated disclosure). The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available.<ref>{{cite web |title=Ask an Ethicist: Vulnerability Disclosure |url=https://ethics.acm.org/integrity-project/ask-an-ethicist/ask-an-ethicist-vulnerability-disclosure/ |website=[[Association for Computing Machinery]]'s Committee on Professional Ethics |access-date=3 May 2024 |date=17 July 2018}}</ref> Some vendors pay [[bug bounty|bug bounties]] to those who report vulnerabilities to them.{{sfn|O'Harrow|2013|p=18}}{{sfn| Libicki|Ablon|Webb|2015|p=45}} Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead.{{sfn|Strout|2023|p=36}} There is no law requiring disclosure of vulnerabilities.{{sfn|Haber |Hibbert|2018 |p=110}} If a vulnerability is discovered by a third party that does not disclose to the vendor or the public, it is called a [[zero-day vulnerability]], often considered the most dangerous type because fewer defenses exist.{{sfn|Strout|2023|p=22}} ===Vulnerability inventory=== The most commonly used vulnerability dataset is [[Common Vulnerabilities and Exposures]] (CVE), maintained by [[Mitre Corporation]].{{sfn |Strout |2023|p=6}} {{As of |November 2024}}, it has over 240,000 entries<ref name="Metrics"/> This information is shared into other databases, including the United States' [[National Vulnerability Database]],{{sfn |Strout |2023|p=6}} where each vulnerability is given a risk score using [[Common Vulnerability Scoring System]] (CVSS), [[Common Platform Enumeration]] (CPE) scheme, and [[Common Weakness Enumeration]].{{cn|date=May 2024}} CVE and other databases typically do not track vulnerabilities in [[software as a service]] products.{{sfn |Strout |2023|p=8}} Submitting a CVE is voluntary for companies that discovered a vulnerability.{{sfn|Haber |Hibbert|2018 |p=110}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)