CVE Language/Terminology Changes
Here's how we've started using the new CVE terminology here in MITRE
since the name change. This change is being reflected in the web
site, press releases, how we talk, and in some ways, how we think.
Now that CVE means "Common Vulnerabilities and Exposures," it is more
gramatically correct to say "CVE" instead of "the CVE," so we've been
adapting our language appropriately. For example:
"We have nearly reached the 300 mark for CVE, but I am still waiting
for some votes from Board members."
[That was just a random example with no hidden agenda whatsoever.]
Also, we have been very careful to ensure that we don't simply say
"vulnerabilities" when we really mean "vulnerabilities and/or
exposures." Sometimes it is difficult and clumsy to do this, however.
Personally, I sometimes say "problems," but there isn't any one word
we've found that subsumes both terms. Some people occasionally say
"V&E" but that is also clumsy sometimes. But when we speak of a
specific "record" that's in CVE, we say "CVE entry."
However, there is some terminology that is well-used and understood,
e.g. "vulnerability assessment tools" and "vulnerability database."
We have continued to use those terms, although it is now clear that
some assessment tools and databases include exposures.
A sample paragraph which integrates almost all of the language changes
is as follows:
"The CVE Editorial Board has been validating a number of
vulnerabilities and exposures in CVE, and will have validated over 300
entries by the time of public release. Board members have also been
mapping CVE entries for 20 information security problems to their own
vulnerability databases, in anticipation of the upcoming
Interoperability Demo. We expect to see CVE names being used in
vulnerability databases and vulnerability assessment tools soon after
the public release of CVE."
This language usage will become more clear as you review the web site
and other documents that are coming out of MITRE.