Security Terminology

A weakness in a system, application, or protocol that can be exploited by a threat actor to perform unauthorized actions. Vulnerabilities can exist in software code, configurations, or design decisions.

An official notice published by a vendor, security researcher, or coordinating body that describes a security vulnerability, its impact, affected versions, and recommended remediation steps.

A standardized identifier for publicly known security vulnerabilities. CVE IDs are assigned by CVE Numbering Authorities (CNAs) and follow the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228).

A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. CVSS considers factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability.

Code, technique, or method that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access, executing arbitrary code, or causing denial of service.

A software update that addresses one or more vulnerabilities. Patches may be released as part of regular updates or as emergency out-of-band releases for critical vulnerabilities.

A vulnerability that is actively being exploited before the vendor is aware of it or has released a patch. The term refers to the vendor having "zero days" to fix the issue before exploitation occurs.

A classification of how serious a vulnerability is, typically based on CVSS scores. Common severity levels are Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), and Low (0.1-3.9).

A package management system or platform where software dependencies are distributed. Each ecosystem has its own registry, naming conventions, and versioning schemes.

A specific software package or library that contains a vulnerability. Advisories typically list affected version ranges and fixed versions for each impacted package.