Terminology

Below are the CVE Initiative’s definitions of the terms "Vulnerability" and "Exposure":

Vulnerability

An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.

CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies in which all users are trusted, or where there is no consideration of risk to the system).

For CVE, a vulnerability is a state in a computing system (or set of systems) that either:


Examples of vulnerabilities include:

Review vulnerabilities on the Common Vulnerabilities and Exposures (CVE) List.

Exposure

An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.

CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.

An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:


Examples of exposures include:

Review exposures on the Common Configuration Enumeration (CCE) List.

Page Last Updated or Reviewed: April 28, 2016