MITRE is a government-funded organization that puts out standards to be used by the information security community. Two of the most popular of these are CWE and CVE, and they’re often confused by security practitioners. Here’s the simple distinction:
- CWE stands for Common Weakness Enumeration, and has to do with the vulnerability—not the instance within a product or system.
- CVE stands for Common Vulnerabilities and Exposures, and has to do with the specific instance within a product or system—not the underlying flaw.