CVE (Common Vulnerabilities and Exposures)

The System for Naming Vulnerabilities

"That vulnerability," "the Apache thing"—vague references like these make security response impossible. CVE is an international system that assigns unique identifiers such as CVE-2024-12345 to publicly disclosed vulnerabilities, enabling developers, security vendors, operations teams, and regulators to discuss the same vulnerability without ambiguity.

The program is operated by MITRE, a U.S. nonprofit organization, with individual vendors and research institutions holding ID assignment authority as CNAs (CVE Numbering Authorities). As of 2024, the number of CNAs has grown to over 400 organizations, and the lead time from vulnerability reporting to ID assignment has been trending shorter.

How to Read a CVE-ID

The format is CVE-YYYY-NNNNN, where YYYY is the year of assignment and NNNNN is a sequential number. One important point: the assignment year is neither the year the vulnerability was discovered nor the year it was publicly disclosed—it is the year the ID was reserved. Because there is often a time lag between reservation and publication, it is not uncommon for a CVE reserved in 2023 to have its details published in 2024.

The CVE-ID itself contains no severity information. Severity is indicated by a CVSS (Common Vulnerability Scoring System) score, and the NVD (National Vulnerability Database) assigns and publishes CVSS scores for CVEs. Unlike categorical classifications such as the OWASP Top 10, a key characteristic of CVE is that it refers to individual vulnerability instances.

Relationship to CyberGym and AI Scanning

CyberGym is a benchmark that uses known CVEs as subjects to measure the attack reproduction capabilities of AI models, making the CVE database an indispensable foundation for its evaluation. Meanwhile, vulnerabilities discovered by Claude Mythos in Project Glasswing are zero-day vulnerabilities that have not yet been assigned a CVE-ID; they are only registered as CVEs after going through Responsible Disclosure.

The combination of SBOM and CVE is extremely powerful in practice. By using an SBOM to track all dependencies in your own product and cross-referencing it each time a new CVE is published, you can answer the question "Does this vulnerability affect our product?" within minutes. In the initial response to supply chain attacks, this difference in speed can be decisive.