5 exercises on the language of finding and fixing flaws — the verbs and identifiers used in advisories, remediation tickets, and DevSecOps pipelines.
Key patterns in this set
patch / remediate a vulnerability — apply the fix
CVE (one flaw) vs CWE (weakness class) vs CVSS (score)
zero-day — exploited before a patch exists; shrink the attack window
scan for vulnerabilities — automated SCA / SAST / DAST
harden a system — tighten config to cut the attack surface
0 / 5 completed
1 / 5
A remediation ticket reads:
"Upstream has released a fix for the Log4j flaw. We need to ___ this vulnerability across all affected services before the end of the sprint."
Which verb is the standard collocation for fixing a security flaw by applying a code/version fix?
Patch a vulnerability.
"Patch a vulnerability" means to apply a software fix (a patch / updated version) that removes the flaw. "Patch" is both verb and noun.
patch a vulnerability / apply a patch — install the fix
remediate — the broader process of resolving the risk (patch, config change, or compensating control)
patch Tuesday, back-port a patch, hotfix
"Cover" and "fill" are not idiomatic for vulnerabilities. "Close" works for an issue/ticket ("close the CVE ticket") but you patch the underlying flaw. To remediate can mean to patch, but also to mitigate by other means. Usage: "we patched the vulnerability in all environments and verified with a rescan."
2 / 5
A vulnerability advisory reads:
"This flaw has been assigned ___, allowing anyone to look up the standardised identifier, severity score, and affected versions in the national database."
Which is the correct term for that standardised public identifier (e.g. CVE-2021-44228)?
A CVE.
"CVE" stands for Common Vulnerabilities and Exposures — a unique public identifier for a specific known vulnerability, in the form CVE-YYYY-NNNNN. It lets everyone refer to the same flaw unambiguously.
CVE — the per-vulnerability identifier (e.g. CVE-2021-44228 = Log4Shell)
CVSS — the scoring system that rates severity 0.0–10.0
CWE — Common Weakness Enumeration: the class of bug (e.g. CWE-79 XSS)
Do not confuse these: a CVE is one specific flaw, a CWE is the weakness category, CVSS is the score, and a CRL (certificate revocation list) is unrelated. Usage: "we triage every new CVE affecting our dependencies within 24 hours."
3 / 5
A threat-briefing slide reads:
"Attackers are already exploiting this flaw in the wild, and no official fix exists yet — it is a true ___."
Which term describes a vulnerability exploited before a patch is available?
Zero-day.
A "zero-day" (0-day) is a vulnerability that is being exploited before the vendor has released a fix — defenders have had zero days to patch. The exploit code is a "zero-day exploit".
zero-day vulnerability / exploit — unknown to the vendor or unpatched while attacked
n-day — a known, patched flaw still exploited because victims have not updated
attack window — the period a system stays exploitable (from disclosure/exploitation until the patch is applied)
"Day-one bug", "cold flaw", and "blind spot" are not security terms for this. The defensive goal is to shrink the attack window by patching fast. Usage: "the vendor shipped an emergency patch for the zero-day within 48 hours."
4 / 5
A DevSecOps pipeline step is described as:
"On every build we automatically ___ — running an SCA and SAST tool against the code and its dependencies to surface known issues before deploy."
Which verb phrase is the standard collocation?
Scan for vulnerabilities.
"Scan for vulnerabilities" is the standard collocation for running automated tooling that detects known flaws in code, dependencies, containers, or infrastructure.
scan for vulnerabilities / run a vulnerability scan
SCA — software composition analysis (dependency CVEs); SAST — static analysis of your code; DAST — dynamic testing of a running app
vulnerability scanner — e.g. Trivy, Snyk, Dependabot
"Search/seek/inspect vulnerabilities" are not the established phrasing — the fixed collocation is scan for. Note the preposition: you scan a system for vulnerabilities. Usage: "the CI gate scans for vulnerabilities and fails the build on any critical CVE."
5 / 5
A baseline-configuration policy reads:
"Every server image must be ___ before deployment: disable unused services, close open ports, enforce strong ciphers, and remove default accounts."
Which verb describes reducing a system's exposure by tightening its configuration?
Harden a system.
To "harden" a system means to reduce its attack surface by tightening configuration — disabling unused services, closing ports, removing default accounts, enforcing secure defaults. The result is a "hardened" image.
harden a system / an image / a host
hardening guide / baseline — e.g. CIS Benchmarks
apply a patch & shrink the attack window — related practices
"Toughened", "sealed", and "reinforced" are not the security term — the established verb is harden, used across CIS, NIST, and vendor docs. Hardening complements patching: you patch known flaws and harden to prevent classes of attack. Usage: "all production hosts are hardened against the CIS Level 1 benchmark."