Difficulties of Technical Vulnerability Management
Ing. Miroslav Čermák, Police Academy of Czech Republic in Prague, postgraduate student
The article describes what vulnerability is, what the life cycle of vulnerability is, how vulnerability arises, what the relationship between vulnerability, an exploit and a patch is and characterizes 6 possible states. It also presents why it is possible to achieve very different results when assessing the severity of vulnerabilities according to the CVSSv2 and CVSSv3 methodologies, and how the number of vulnerabilities has increased sharply, while the severity of vulnerability itself tends to be evenly distributed in the long run. Last but not least, it is stated that in the context of vulnerability management, it is necessary to approach the number of vulnerabilities listed in the CVE / NVD and VulnDB vulnerability databases with a considerable margin, as these numbers of vulnerabilities are substantially misleading.
Keywords: vulnerability, exploit, life cycle of vulnerability, vulnerability database, technical vulnerability management.