CVE Fundamentals // UGLabs

01 // Core concept

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a public catalogue of known security flaws in software. Every flaw that makes it onto the list gets a unique ID — like CVE-2024-3094 — and that ID becomes the universal name everyone uses to refer to that specific flaw.

Before CVE existed, a researcher in Cape Town and a developer in Berlin might discuss the same bug under completely different names. Nobody could compare notes. CVE fixed that. One bug, one ID — used by security teams, vendors, journalists, and governments.

Think of it like a case number at a police station. The number doesn't tell you what happened — it just makes sure everyone is talking about the same incident.

Check your understanding

A colleague says: "CVE-2024-1234 just dropped — it must be serious." Is that a fair conclusion?

02 // The system behind it

CVE is a system, not a company

The CVE list is run by MITRE Corporation — a US non-profit. MITRE doesn't find vulnerabilities. They maintain the catalogue and assign the IDs. Think of them as the registry office.

There's also the NVD — National Vulnerability Database, run by NIST. NVD takes CVE records from MITRE and adds detail: severity scores, affected software versions, and links to patches. When someone says "look it up on NVD", it's the same vulnerability — just with more data attached.

Big companies like Microsoft, Google, and Apple can assign CVE numbers to flaws in their own products. These are called CNAs — CVE Numbering Authorities. For software with no CNA, researchers go directly to MITRE to request an ID.

MITRE assigns // NVD enriches // CNAs handle their own products

Check your understanding

You look up a CVE on NVD and it has more detail than the same CVE on MITRE's site. Why?

03 // The ID format

What the numbers mean

Every CVE ID follows the same three-part format:

CVE Fixed prefix

2024 Year assigned

3094 Sequence no.

The prefix is always CVE. The year is when the ID was assigned — not when the bug was discovered or made public. The sequence number is just a counter with no meaning beyond being unique.

Watch for this: a CVE with a 2023 year might only go public in 2024. The year tells you when the ID was reserved, nothing more.

Quick drill — pick the year each ID was assigned

CVE-2021-44228

CVE-2017-0144

CVE-2024-3094

04 // Scope of the list

Not every bug qualifies

The CVE list is not a list of every software bug ever written. It is a subset — the bugs that meet a specific bar.

To get a CVE, a vulnerability needs to exist in software people actually use, and it needs real security impact — meaning an attacker could use it to do something they're not supposed to. A crash bug on your own machine with no external trigger won't qualify. A bug that lets a stranger run code on your server will.

Bugs also sometimes don't get CVEs because nobody requested one. If a researcher finds something and patches it quietly, there might be no CVE at all. Absence of a CVE does not mean absence of risk.

The CVE list is the vulnerabilities someone documented. It is not a complete picture of what's dangerous.

Does this get a CVE? Vote on each scenario

Scenario A

A researcher finds a bug in a popular banking app that lets an attacker steal session tokens over the network.

Scenario B

A developer notices their internal tool crashes when you type more than 200 characters. The tool is not internet-connected and is only used by two people.

Scenario C

A researcher finds a critical flaw in a small open-source library. They patch it and push the fix quietly without telling anyone or requesting a CVE.

05 // Final check

Pull it all together

Question 1 of 3

What does the year in a CVE ID actually represent?

Question 2 of 3

Which organisation maintains the CVE list and assigns IDs?

Question 3 of 3

A piece of software has a critical security flaw but no CVE number. Does that mean it's safe?