One critical aspect of the conversation about application security and vulnerability management is the method by which vulnerabilities are categorized and scored. This is an important aspect of the push for software transparency and, more important, software security. Without understanding what software vulnerabilities are present and the way those vulnerabilities are scored, it is difficult for organizations to prioritize vulnerabilities for remediation. Software producers can prioritize vulnerabilities for remediation to reduce risk to their customers and inform their customers about the severity and exploitability of vulnerabilities in their products. Software consumers can understand the inherent risk of the software they are using and make risk-informed decisions about its consumption and use. So, first let's look at some of the common terms associated with software vulnerabilities.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) is oriented around a program with the goal of identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities impacting software or hardware. As an organization, CVE involves participation from international researchers and organizations who serve as partners to help discover and publish vulnerabilities, including descriptions of the vulnerabilities in a standardized format.

Origins of the CVE Program and concept can be traced back ...