Knowledge Tree
Home Research Docs About
concept

CVE

Also known as: Common Vulnerabilities and Exposures

Facts (17)

Sources
A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org arXiv Feb 3, 2025 10 facts
referenceGitHub's private vulnerability reporting feature allows contributors to report vulnerabilities privately within the platform, enabling maintainers to review reports, update severity, invite others to develop fixes, and decide whether to request a CVE.
claimOpen-source software maintainers use various mediums to notify the community about the need to upgrade, including mailing lists, backchannels, GitHub security advisories, and requesting a CVE.
claimProminent vulnerability management challenges faced by OSS project maintainers include negative CVE relationships and vulnerability scoring, which may lead to the undermining or misreporting of critical vulnerabilities and the pollution of the software supply chain with inconsistencies.
claimOSS maintainers avoid adopting PSFs due to fear of negative project reputation, particularly if their project has a history of high or critical CVE-assigned vulnerabilities.
claimOpen-source software maintainers report difficulty calculating or adjusting CVSS scores for reported vulnerabilities, with some participants perceiving CVE scores as inflated.
accountOpen Source Software (OSS) maintainers report experiences where software fixes are put on hold due to pending Common Vulnerabilities and Exposures (CVE) processes or feelings of intimidation regarding the nature of CVEs.
claimSome maintainers believe that creating a CVE is sufficient to ensure visibility of vulnerabilities to users and dependents.
claimOpen Source Software maintainers often report negative relationships with the Common Vulnerabilities and Exposures (CVE) process as a challenge in vulnerability management.
quote“I’m incentivized to lie to make the CVE [severity] lower because it makes my project look bad, you have to be really, really honest […] I noticed a lot of people like downgrade their CVEs.”
claimGeneral vulnerability management challenges faced by OSS maintainers include trusting the software supply chain, lack of time and resources, and issues with Common Vulnerabilities and Exposures (CVEs).
bureado/awesome-software-supply-chain-security - GitHub github.com GitHub 5 facts
claimThe toolswatch/vFeed tool provides a correlated CVE vulnerability and threat intelligence database API.
claimThe Exein-io/kepler tool provides a NIST-based CVE lookup store and API implemented in the Rust programming language.
referenceFrederick Kautz authored the article 'VEX! or... How to Reduce CVE Noise With One Simple Trick!', which discusses using VEX to reduce noise from Common Vulnerabilities and Exposures (CVE) reports.
referenceThe 'victims/victims-cve-db' repository serves as a database for Common Vulnerabilities and Exposures (CVEs).
claimCyCognito has adopted the practice of mapping MITRE ATT&CK techniques to Common Vulnerabilities and Exposures (CVE) identifiers to assess impact.
Cybersecurity Trends and Predictions 2025 From Industry Insiders itprotoday.com ITPro Today 1 fact
measurementThe year 2024 experienced record growth in vulnerabilities and Common Vulnerabilities and Exposures (CVEs).
State of the Software Supply Chain Report | 10 Year Look - Sonatype sonatype.com Sonatype 1 fact
claimThe growth of CVE (Common Vulnerabilities and Exposures) reports has shown a massive uptrend beginning in 2016, which directly correlates to the increased mean time to remediate (MTTR) observed in the software supply chain.