Below are CVE's definitions of the terms "Vulnerability" and "Exposure":


A "vulnerability" is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).

Examples of vulnerabilities include:

Review vulnerabilities on the Common Vulnerabilities and Exposures (CVE) List.


An "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.

An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:

Examples of exposures include:

Review exposures on the Common Configuration Enumeration (CCE) List.

Page Last Updated or Reviewed: December 15, 2017