Weak CVE

People tend to rate the quality of CVEs. Some claim that certain CVEs are so called weak CVEs. This is how we approach these challenges as a CNA.

Weak Entry

A CVE entry is called a Weak Entry when important vulnerability data is missing. This could be vulnerability classes, affected products or version details.

Weak entries are often based on weak submissions. If such do not contain enough information, we will reject them and demand more technical details or a better proof.

Our goal is to add as much information about a vulnerability as possible to an entry. Our system supports a wide variety of data points which help users to understand the inner workings of vulnerabilities.

Weak Vulnerability

Something is called a Weak Vulnerability when it affects a product which is not that important nor popular. Or of a less interesting attack vector is used.

We do not reject CVE submissions which others would classify as weak vulnerabilities. It is not our task to decide what kind of technical level is required to receive a CVE. If something qualifies as a vulnerability, it is aligned with our submission policy and the CNA Rules, then we will assign a CVE.

If you do not share this opinion, you may inintiate a dispute or contact MITRE to discuss possibilities to change their CNA Rules.

Interested in the pricing of exploits?

See the underground prices here!