# Vulnerability and vulnerability assessment

**What is a vulnerability?**

A vulnerability is a flaw or misconfiguration in software, hardware or settings that lets an attacker into a system. A vulnerability assessment searches for these points systematically and rates their risk.

Publicly known vulnerabilities get a globally unique identifier, the CVE number, and a severity score under the CVSS scheme. Both are freely available. Attackers work from the same public sources as auditors do.

The practical lever is installing security updates. Just as important is documenting the systems that fall outside the update process, such as machine controllers or old industry software. Those systems need a conscious decision and protection at the network level.

## Related terms
- [Vulnerability scan](https://vetosec.at/en/it-security/schwachstellenscan/)
- [Patch management and updates](https://vetosec.at/en/it-security/patch-management/)
- [Zero-day vulnerability](https://vetosec.at/en/it-security/zero-day/)

## Source
https://vetosec.at/en/it-security/schwachstelle/ (vetosec, grundlagen)
