Vulnerability Scoring Systems

CVSS calculator

A calculator for determining risk level of vulnerabilities based on base, temporal, and environmental metrics.

National Vulnerability Database (NVD)

A government-sponsored, detailed database of known vulnerabilities. nvd.nist.gov. ncludes more specific information for each entry than the CVE list, such as fix information, severity scores, and impact ratings. This list is searchable by product name or version number, vendor, operating system, impact, severity, and related exploit range. This detailed database adds breadth and depth to your research, and the variety of ways to search the site makes searches very efficient.

Cybersecurity and Infrastructure Security Agency (CISA)

A large government-sponsored organization that provides many resources for cyber security. This government site provides: Information exchange Training and exercises Risk and vulnerability assessments Data synthesis and analysis Operational planning and coordination Watch operations Incident response and recovery

Full disclosure

A public, vendor-neutral forum for the discussion of vulnerabilities and threats that often has the newest information. It also has tools, papers, news, and events related to vulnerabilities and threats. a mailing list from nmap site provides a vendor-neutral forum for discussing exploitation strategies and vulnerabilities. It's also a resource for discovering events that are happening in the cybersecurity community. You can find it at seclists.org/fulldisclosure.

Common Vulnerability Scoring System (CVSS)

A system that categorizes vulnerabilities by threat level.

Common Vulnerabilities and Exposures (CVE)

An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation. There are currently 94 CVE numbering authorities from 16 countries, which provides a baseline for evaluation. It also provides standardization, which allows data exchange for cybersecurity automation and aids professionals as they determine the best assessment tools for them.

Common Attack Pattern Enumeration and Classification (CAPEC)

capec.mitre.org a dictionary of known patterns of cyberattack used by hackers. You can search this list by attack mechanism, attack domain, key terms, and CAPEC ID numbers. You can browse through the list to see common attacks used by hackers, and you can also search for specific attack patterns. There are other helpful resources available besides the ones sponsored by the Department of Homeland Security.

Common Weakness Enumeration (CWE)

cwe.mitre.org. CWE is a community-developed list of common software security weaknesses. They strive to create commonality in descriptions of weaknesses in security software. This creates a reference for identifying, mitigating, and preventing vulnerabilities. It also provides a standardized way to evaluate assessment tools.

JPCERT

Japan Computer Emergency Response Team dedicated to helping cybersecurity professionals protect their organizations from attack. It offers detailed information on vulnerabilities, including affected products, possible impacts, solutions, vendor statements, and reference documents.