According to MITRE’s CVE Terminology, a vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network, a state in a computing system which either:
- Allows an attacker to execute commands as another user.
- Allows an attacker to access data that is contrary to the specified access restrictions for that data.
- Allows an attacker to pose as another entity.
- Allows an attacker to conduct a denial of service.
The vulnerability life cycle consists of four events:
- Discovery date. Somebody discovers that the vulnerability exists.
- Disclosure date. A trusted security organization or the vulnerable software producer discloses the vulnerability existence.
- Exploit date. Somebody creates an attack which exploits the vulnerability.
- Patch date. Vulnerable software producer provides a solution or patch to protect the system.
It is not necessary that these four events occur in the vulnerability life cycle. A vulnerability can be exploited with no previous disclosure or can be patched with no previous exploit.
Several databases store relevant data about vulnerabilities. Some examples are: