Early Access — Mondoo Vulnerability Intelligence is currently in preview.
Mondoo Vulnerability Intelligence
Search vulnerabilities and malicious packages across npm, PyPI, Go, GitHub Actions, VS Code, and more.
Search vulnerabilities and malicious packages across npm, PyPI, Go, GitHub Actions, VS Code, and more.
Understanding security terminology is essential for effectively managing vulnerabilities in your software. This guide explains common terms used in vulnerability databases and security advisories.
A weakness in a system, application, or protocol that can be exploited by a threat actor to perform unauthorized actions. Vulnerabilities can exist in software code, configurations, or design decisions.
An official notice published by a vendor, security researcher, or coordinating body that describes a security vulnerability, its impact, affected versions, and recommended remediation steps.
A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. CVSS considers factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability.
Code, technique, or method that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access, executing arbitrary code, or causing denial of service.
A software update that addresses one or more vulnerabilities. Patches may be released as part of regular updates or as emergency out-of-band releases for critical vulnerabilities.
A vulnerability that is actively being exploited before the vendor is aware of it or has released a patch. The term refers to the vendor having "zero days" to fix the issue before exploitation occurs.
A classification of how serious a vulnerability is, typically based on CVSS scores. Common severity levels are Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), and Low (0.1-3.9).
A package management system or platform where software dependencies are distributed. Each ecosystem has its own registry, naming conventions, and versioning schemes.
A specific software package or library that contains a vulnerability. Advisories typically list affected version ranges and fixed versions for each impacted package.
These authoritative sources provide reliable vulnerability information and security guidance.
The U.S. government repository of standards-based vulnerability management data, including CVE entries and CVSS scores.
The authoritative source for CVE identifiers, maintained by MITRE Corporation.
A curated database of security advisories for open source software, with GHSA identifiers.
The Forum of Incident Response and Security Teams maintains the CVSS specification and calculator.
A distributed vulnerability database for open source software, aggregating data from multiple sources.
A catalog of vulnerabilities known to be actively exploited, maintained by the U.S. Cybersecurity and Infrastructure Security Agency.
A community-developed list of software and hardware weakness types, providing a common language for vulnerability classification.
The Open Web Application Security Project provides free resources on application security, including the OWASP Top 10.