Add answer to CVE and CVSS question (bregman-arie#231)

laumane · web-flow · commit 7e29d945ba9d · 2022-05-04T08:43:13.000+03:00
* Add answer to CVE and CVSS question

Question : Explain CVE and CVSS
What do you think ?

* Update answer CVE and CVSS question

Details added + some links
diff --git a/exercises/security/README.md b/exercises/security/README.md
@@ -256,6 +256,12 @@ You can test by using a stored procedure, so the application must be sanitize th
 
 <details>
 <summary>Explain CVE and CVSS</summary><br><b>
+ 
+  [Red Hat](https://www.redhat.com/en/topics/security/what-is-cve#how-does-it-work) : "When someone refers to a CVE (Common Vulnerabilities and Exposures), they mean a security flaw that's been assigned a CVE ID number. They don’t include technical data, or information about risks, impacts, and fixes." So CVE is just identified by an ID written with 8 digits. The CVE ID have the following format:  CVE prefix + Year + Arbitrary Digits.
+ Anyone can submit a vulnerability, [Exploit Database](https://www.exploit-db.com/submit) explains how it works to submit.
+  
+Then CVSS stands for Common Vulnerability Scoring System, it attemps to assign severity scores to vulnerabilities, allowing to ordonnance and prioritize responses and ressources according to threat. 
+ 
 </b></details>
 
 <details>
