This Recommendation on the use of the common vulnerabilities and exposures provides a"structured means" for the global exchange of publicly known, mature vulnerabilities and exposures information that are detected by security tools or otherwise become public. This “structured means” is often referred to as “CVE Compatibility” and defines the correct use of CVE. An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. An information security exposure is a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. The assignment of CVE identifiers is not within the scope of this Recommendation. This Recommendation is technically equivalent and compatible with the 1.2 version of the "Requirements and Recommendations for CVE Compatibility," 1 October 2009, which can be found at the website [cve.mitre.org/compatible/requirements.html].