This post reviews some aspects regarding IT vulnerabilities.
Vulnerability Databases
Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
http://nvd.nist.gov/cvss.cfm
MITRE Common Vulnerabilites and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures.
Microsoft has its own portal about CVE’s affecting its products and how to fix them and it is MSRC’s Security Update Guide. It may also contain the corresponding CVSS ratings.
MITRE Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types.
MITRE ATT&CK Matrix is a knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
OWASP Top 10 represents a broad consensus about the 10 most critical security risks to web applications.
https://owasp.org/www-project-top-ten/
ExploitDB is an archive of exploits for the purpose of public security, and it explains what can be found on the database.
The Cybersecurity & Instrastructure Security Agency (CISA) holds the CISA Known Exploited Vulnerabilities Catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Zero-Day Vulnerability Teams
This section lists some relevant teams within companies that are focused on finding and notifying to system owners zero-day vulnerabilites.
Zero-Day Vulnerability Teams featured on this post:
- Google Project Zero
- Trend Micro’s Zero Day Initiative
Google Project Zero
Project Zero is a team within by American company Google.
Trend Micro’s Zero Day Initiative
Zero Day Initiative is an initiative by American company Trend Micro.