All Articles
·
Vincent Bean Vincent Bean

How to catch CVE's on time

With many CVE's being released each week it's hard to keep up, especially since most of them don't even affect you. But a missed CVE that does affect you can have serious consequences.
In this article I'm sharing which methods are effective to keep track of new CVE's so you can patch quickly.

What is a CVE?

Common Vulnerabilities and Exposures (CVE) is the industry standard way of publishing security vulnerabilities in software. It dates back to 1999 and was funded by the US government.

CVE's are published as numbers starting with CVE and the year followed by a number: CVE-{year}-{number}. For example CVE-2025-55182. Each CVE is for one vulnerability, a description is added explaining the issue and a score indicates how urgent it is. For example, CVE-2025-55182 has a severity score of 10, this is very bad and needs to patched as fast as possible.

The severity is typically measured using the CVSS (Common Vulnerability Scoring System). A high score, such as 10, indicates a critical vulnerability that should be patched immediately, while a lower score suggests the issue is harder to exploit or has less severe consequences.

What happens when a CVE is published for software I use?

When a CVE is published for software you use, it means a publicly known security vulnerability has been identified in one of your dependencies, services, or systems. At that point, attackers may begin analysing the vulnerability, and in some cases exploits become available very quickly.

Typically, the software vendor will release a security advisory and, if possible, a patched version or mitigation guidance. Your responsibility is to determine whether you are affected, assess the severity of the issue, and decide how urgently it needs to be addressed.

If the vulnerable component is exposed to the internet or runs with high privileges, even a medium-severity CVE can be a serious risk. On the other hand, a critical CVE might be less urgent if the affected feature is not enabled or reachable in your environment. Understanding the CVE details and your own setup is essential for determining the right action.

Where to find CVE's

One of the primary sources for CVE information is the National Vulnerability Database (NVD). The NVD aggregates CVE data and enriches it with severity scores, affected products, and additional metadata. It serves as the authoritative reference for many tools and security teams, even though it may not always be the fastest source when a vulnerability is first disclosed.

Many other organizations and governments consume and republish this same data. For example, the Dutch National Cyber Security Centre (NCSC) publishes CVE information and security advisories based on NVD data, often adding local context and guidance for organizations in the Netherlands. Similar initiatives exist in other countries, providing region-specific recommendations while relying on the same underlying CVE identifiers.

Because most of these platforms are derived from the same source, they tend to contain largely overlapping information. The main differences are in how the data is presented, enriched, or prioritized, rather than in the CVEs themselves.

While the NVD is a comprehensive and authoritative source, manually browsing it is cumbersome and inefficient. Hundreds of new or updated CVEs are added every week, many of which will never apply to your software, infrastructure, or configuration.

Searching through the database, reading individual entries, and determining relevance requires significant time and expertise. Even then, it’s easy to miss important details such as affected versions, specific configurations, or whether a vulnerability is actually exploitable in your environment.

For small environments this may be manageable, but as your software stack grows, manual CVE tracking quickly becomes impractical. This is why most teams move away from manual monitoring and rely on automation, filtering, and tooling to surface only the vulnerabilities that truly matter.

Method One: Hope you find it

The least effective way to catch CVEs is to simply hope you stumble across them. This usually means finding out about a vulnerability through news articles, social media, blog posts, or after someone else points it out.

While vulnerabilities with high CVSS scores sometimes make headlines, most CVEs never do. Many serious issues are quietly disclosed in vendor advisories or databases like the NVD, without widespread attention. Relying on chance means you’re likely to learn about vulnerabilities late or not at all.

This approach also tends to be reactive rather than proactive. By the time a vulnerability is trending online, attackers may already be exploiting it. In short, hoping to “hear about it” is unreliable and risky and doesn't scale.

Method Two: Mailing lists

Mailing lists are a more proactive way to learn about new CVEs. Many software vendors, open-source projects, and security communities publish vulnerability disclosures through dedicated security mailing lists. Subscribing to these can give you early visibility into issues that affect the software you use.

Examples include vendor-specific security lists, open-source project announcements, and broader security lists such as OSS-Security. These often contain detailed technical information, mitigation steps, and links to patches, making them valuable for understanding the real impact of a vulnerability.

However, mailing lists come with their own challenges. They can be noisy, unstructured, and difficult to filter. Important alerts may get buried among less relevant messages, and keeping track of multiple lists quickly becomes overwhelming. While mailing lists are a significant improvement over hoping to find a CVE by chance, they still require manual effort and constant attention.

Method Three: Automated tools

Automated tools are by far the most reliable way to track CVEs at scale. These tools continuously monitor CVE databases and advisories, match vulnerabilities against your software stack, and alert you when something relevant appears. This removes most of the manual work and significantly reduces the chance of missing critical issues.

Enterprise security platforms like CrowdStrike Spotlight offer deep integration, asset awareness, and prioritization based on real-world exploitability. The downside is cost, these solutions are powerful, but often out of reach for smaller teams or individual developers.

There are also more accessible alternatives. OpenCVE, for example, is an open-source and self-hostable platform that tracks CVEs and allows you to subscribe to specific vendors or products. It provides a good balance between control and automation, especially if you’re comfortable running your own tooling.

Another option is Vigilant, which focuses specifically on website monitoring and includes CVE monitoring. It provides alerts and filtering to help you focus on vulnerabilities that matter to you, without requiring a full enterprise security stack. Tools like this are well-suited for teams that want timely notifications without the overhead of heavy infrastructure.

Automated tools turn CVE tracking from a manual, error-prone task into a continuous background process. While no tool completely replaces human judgment, automation is essential if you want to catch CVEs on time and respond before they become incidents.

How to choose the right method

The right way to track CVEs depends on what you are responsible for securing. For general software projects or libraries, a tool like OpenCVE can be sufficient, as it allows you to subscribe to specific products and vendors.

However, website owners face a unique set of challenges. Websites are built from components that change over time. CMS platforms, themes, plugins, and third-party dependencies and keeping all of these safe involves more than just checking for raw CVE publications. Vigilant’s integrated monitoring means you can track vulnerabilities alongside uptime, broken links, performance, certificates, and DNS issues, all in one dashboard and with minimal setup.

As soon as security becomes an ongoing responsibility rather than an occasional task, manual tracking stops working. For website owners, tools that focus on real exposure, automatic detection, and clear alerts are essential.

Ultimately, the best method is the one that tells you when your website is actually at risk, without overwhelming you with irrelevant information. For website owners, that means using a tool built specifically for monitoring websites.

Conclusion

CVE tracking is essential for keeping software and websites secure, but the sheer volume of vulnerabilities published each week makes manual monitoring impractical. From hoping to stumble across CVEs online, to following mailing lists, to using automated tools, there are clear trade-offs in effectiveness, effort, and coverage.

For website owners, automated platforms like Vigilant provide a practical solution. By monitoring your site’s technologies and alerting you to relevant vulnerabilities, they turn CVE tracking from a time-consuming task into a continuous, actionable process. Combined with broader monitoring features, these tools help ensure that you catch critical issues before they can be exploited.

Ultimately, staying on top of CVEs requires a combination of the right tools, smart prioritization, and consistent attention. Using automation tailored to your environment lets you focus on what really matters: keeping your systems and websites secure.

Start Monitoring within minutes.

Enter a client's domain and see what Vigilant monitors, setup takes just 2 minutes per site.
Vigilant comes with sensible defaults so onboarding new clients is effortless.

Quick website scan

Enter your domain and do a quick scan of your website to see what Vigilant does.