FAQ

The CVE publication process usually starts with a vulnerability report submitted to a CNA or directly to MITRE. If the flaw is confirmed to be legitimate, a CVE identifier is reserved. At this stage, the CVE may remain "reserved" for some time, pending technical validation, agreement from involved parties, or availability of a fix.

Once all the information is verified, the CVE is made public through MITRE’s official website (cve.org) and other platforms such as the NVD (National Vulnerability Database) or CVE Find. It includes a short technical description, publication date, affected products, and sometimes references to patches or security advisories.

No, the existence of a CVE does not guarantee that a fix is available. A CVE may be published before a vendor has developed a fix, or even in cases where no fix is planned (e.g., for obsolete or unsupported software). In such situations, users must implement workarounds or disable certain vulnerable features.

It is therefore essential not to rely solely on CVEs, but also to check vendor advisories and databases like the NVD or the KEV list, which may indicate whether a patch exists and when it is expected. Good risk management takes into account both the severity of the flaw and the availability of solutions.