Security glossary

Short, precise definitions of the terms used across Sentrytex alerts and documentation. Each entry is written to stand alone — quote any one of them without surrounding context.

CVE (Common Vulnerabilities and Exposures)

A publicly published security flaw with a unique identifier, formatted as CVE-YYYY-NNNNN (for example, CVE-2024-3094). CVEs are assigned by CVE Numbering Authorities under the CVE Program, run by MITRE. A CVE ID is a label; the technical details and scoring are published separately.

NVD (National Vulnerability Database)

The US National Institute of Standards and Technology's database of CVEs, enriched with severity scores, references, and product mappings. Sentrytex polls the NVD 2.0 API every 30 minutes for new CRITICAL and HIGH entries.

GHSA (GitHub Security Advisory)

A security advisory published in the GitHub Advisory Database, covering vulnerabilities in npm, pip, Go, Rust, Composer, NuGet, RubyGems, Maven, and GitHub Actions ecosystems. GHSA entries often appear earlier and with more ecosystem context than the matching NVD record.

CVSS (Common Vulnerability Scoring System)

A numerical score from 0.0 to 10.0 that represents the severity of a vulnerability. CVSS v3.1 and v4.0 are the current revisions. A CVSS score is a starting point, not a verdict — context (whether you actually use the affected configuration) matters more than the number.

Severity (critical / high / medium / low)

A categorical label derived from a vulnerability's CVSS score. Critical maps to CVSS 9.0–10.0; high to 7.0–8.9; medium to 4.0–6.9; low to 0.1–3.9. Sentrytex uses these labels and adds context — a medium CVE in a service you don't use is noise; a high CVE on KEV is a P0.

KEV (CISA Known Exploited Vulnerabilities)

A catalogue maintained by the US Cybersecurity and Infrastructure Security Agency listing CVEs with evidence of active exploitation in the wild. A KEV listing is the strongest possible signal that a vulnerability matters right now. Sentrytex forwards KEV entries that affect your stack without waiting for additional corroboration.

CWE (Common Weakness Enumeration)

A categorisation of the underlying weakness types behind vulnerabilities — for example, CWE-79 is Cross-Site Scripting, CWE-89 is SQL Injection. CWE describes the class of bug; CVE describes a specific instance. Useful for understanding what kind of mistake led to a CVE.

Advisory

A formal notice from a vendor, project, or security organisation about a vulnerability or incident. Advisories typically include affected versions, severity, mitigation steps, and patched versions. GHSA and vendor security bulletins are both forms of advisory.

Advisory feed

A machine-readable stream of advisories — RSS, JSON, or an API endpoint — that downstream tools can subscribe to. Sentrytex polls advisory feeds from CISA, NVD, GHSA, and individual vendors every 30 minutes.

Breach

The unauthorised access, exfiltration, or exposure of data. A breach is an outcome, not a vulnerability — a CVE describes a flaw, a breach describes what happens when a flaw (or a stolen credential, or a misconfiguration) is exploited.

Incident

Any event that may affect the confidentiality, integrity, or availability of a system. Every breach is an incident; not every incident is a breach. An outage caused by a misconfiguration is an incident; the same misconfiguration leaking customer data is also a breach.

Zero-day

A vulnerability that's being exploited before — or on the day — a patch is publicly available. The window between exploitation and patch availability is the "zero-day window". KEV listings often refer to vulnerabilities that started as zero-days.

Patch

A code change that fixes a vulnerability. A patch is "available" when the vendor has shipped a fixed version; it's "applied" when you've upgraded to that version. Most successful exploitations happen after a patch is available but before it's applied — Equifax was breached two months after the Apache Struts patch shipped.

RCE (Remote Code Execution)

A vulnerability that lets an attacker run arbitrary code on a target system over the network, usually without authentication. RCE is among the most severe vulnerability classes — an unauthenticated RCE on an internet-facing service is almost always a critical.

SQLi (SQL Injection)

A vulnerability where attacker-controlled input is interpreted as SQL by the database. Classic SQLi can read or modify any data the application has access to, and in some configurations can execute commands on the database server. CWE-89.

XSS (Cross-Site Scripting)

A vulnerability where attacker-controlled input is rendered as executable script in another user's browser. XSS lets attackers steal sessions, perform actions on behalf of the victim, or exfiltrate data visible in the page. CWE-79.

Supply chain attack

A compromise that reaches victims through a third-party dependency rather than a direct attack on the victim's own systems. Examples: a backdoored npm package (event-stream, 2018), a poisoned CI action (tj-actions/changed-files, 2025), a malicious CDN takeover (Polyfill.io, 2024). Supply chain attacks are central to what Sentrytex monitors.

CISA Vulnrichment

A CISA programme that adds SSVC (Stakeholder-Specific Vulnerability Categorization) decision points and CWE/CVSS enrichments to newly published CVEs. Useful for prioritising CVEs that don't yet have a full NVD enrichment.

SBOM (Software Bill of Materials)

A machine-readable inventory of the components inside a piece of software — direct and transitive dependencies, versions, licences. SBOMs are how organisations answer "is component X in any of our software?" when a new CVE drops. Not a Sentrytex feature, but relevant to vendor security practice.