Vulnerability

📌 Article pinned by VulDB Support Team

We are a vulnerability database which is collecting, analyzing, and documenting vulnerabilities. There are different definitions what a security vulnerability is.

VulDB Definition

Our definition of a vulnerability is very simple and guarantees the basic principle in handling all our entries:

It is possible to use a product in a way that it is not supposed to be and this activity violates principles of confidentiality, integrity, or availability.

CVE Program Definition

Our approach is very well in line with CNA Rule 4.1 which explains Vulnerability Determination like this:

The CVE Program Glossary defines a Vulnerability as: "an instance of one or more weaknesses in a Product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy."

Our Principle

Usually whenever it is possible to assign a CWE to an issue, it must be declared as security-related. The level of popularity of a product or an attack, pre-requisites, risk levels, availability of exploits or countermeasures do not influence this decision to declare something a vulnerability in any way. The less severe terms might be weakness, flaw, or security issue. We may split vulnerabilities into multiple entries according to our splitting methodology.

Implications

Whenever something is declared as a vulnerability, we are obligated to add it to our vulnerability database. There is no possibility to revoke legitimate entries. If somebody disagrees with a CVE assignment, it is possible to establish a dispute.