Dictionary rule: fields are decision aids, not automatic truth. Always combine record data with source freshness, asset exposure, vendor guidance, and business context before assigning work.
Data Dictionary
Understand the fields behind the portal.
Use this page when a label, score, field, or workflow state is unclear. It explains what each signal means, what it does not prove, and where to validate it.
Record
CVE / advisorywhat the item is aboutRisk
Signalsseverity, exploit, exposure, trustAction
Labelspatch, mitigate, validate, detectQuality
Caveatsfreshness, confidence, disputed statusCore Record Fields
What the main CVE and advisory fields mean
ID
The CVE, advisory, campaign, or internal record identifier. Use it for search, comparison, saving, and references.
Vendor / product
The ecosystem, vendor, product, or product family tied to the item. Validate exact installed product names before acting.
Severity
A broad impact label usually derived from CVSS or source context. It is not the same as priority in your environment.
Summary
A plain-language description of the issue. Treat summaries as orientation, then verify details against vendor or source references.
Affected versions
Version ranges that may be vulnerable. This field needs careful validation because vendor notation and supersedence can be tricky.
Fixed versions
The version, patch, hotfix, or workaround that reduces risk. Confirm supersedence and platform support before writing tickets.
Risk Signals
Signals that influence priority but do not act alone
KEV
Known Exploited Vulnerability. This raises urgency because exploitation has been recognized by CISA, but exposure still needs validation.
EPSS
A probability-style exploit likelihood signal. It helps triage likely exploitation, but it does not prove impact or reachability.
Public PoC
Public proof-of-concept exploit availability. It can lower attacker effort, but a PoC does not prove active exploitation.
Exploit maturity
A rough label for whether exploitation is theoretical, proof-of-concept, weaponized, or observed. Validate source confidence.
Ransomware relevance
A heuristic that suggests the issue may fit ransomware access, escalation, or disruption patterns. It is not attribution.
Attack type
Tags such as RCE, LPE, XSS, SSRF, auth bypass, info disclosure, or DoS. Use them to route work to the right owner.
Exposure Fields
Fields that decide whether the issue matters locally
Internet-facing
The affected system may be reachable from the internet. Confirm with asset inventory, scanning, or architecture evidence.
Authenticated / unauthenticated
Whether exploitation requires credentials. Unauthenticated remote paths usually deserve faster validation.
Remote / local
Whether an attacker can trigger the issue remotely or needs local access. This affects owner, urgency, and detection needs.
Business critical
Whether affected assets support important services. This is often environment-specific and should come from business or asset owners.
Product family
A grouping such as VPN, firewall, identity, database, endpoint, cloud, or OT. It helps route ownership and spot recurring exposure.
Exposure confidence
How certain the portal or analyst is that exposure applies. Low confidence should trigger validation, not emergency action.
Workflow Labels
How action labels should be interpreted
Patch now
Urgent remediation is likely appropriate after affected version, exposure, owner, and rollback path are validated.
Patch soon
Remediation should be planned, but the current evidence may not justify emergency disruption.
Mitigate first
Reduce exposure with controls before or instead of patching, usually because patching is blocked, risky, or unavailable.
Validate exposure
Do not assign patch work yet. Confirm product, version, reachability, authentication context, owner, and source confidence first.
Draft detection
Create a SOC handoff, hunt query, Sigma/YARA draft, or visibility request. Validate telemetry before calling it coverage.
Monitor
Watch for source updates, KEV changes, exploit maturity changes, fixed versions, or exposure changes before escalating.
Trust Fields
Quality and provenance terms that slow down bad decisions
Source confidence
A trust signal based on source type, completeness, recency, and consistency. Low confidence means validate before escalation.
Last updated
When the record or source was refreshed. Stale data should be called out in briefs and decisions.
Disputed
A record where the claim may be contested or inconsistent. Treat it as a validation task before assigning action.
Rejected
A record that should not drive remediation without manual confirmation. Use for learning or tracking only until validated.
Live-derived
A view computed from currently loaded data. It helps prioritize but is not direct telemetry or proof of exploitation.
Heuristic
A useful inference from fields, keywords, or scoring logic. Treat it as a lens, not a final conclusion.
Recommended next move: if a field is unclear, use Methodology for interpretation, Evidence Checklist for validation, and Metrics Catalog when the field becomes a reportable number.