What is a CVE, and how do you track and remediate vulnerabilities in your infrastructure?

A CVE (Common Vulnerabilities and Exposures) is a public identifier for a known security vulnerability. Each CVE has a severity score (CVSS 0-10).

Tracking and remediation workflow:

1. Discovery: Continuous scanning — Trivy/Snyk in CI for container images, Dependabot for code dependencies, AWS Inspector for EC2.
2. Triage: Not all CVEs require immediate action. Prioritize by CVSS score, exploitability, and whether the vulnerable code path is actually used.
3. Remediation: Update base image, update dependency, or apply vendor patch.
4. Tracking: Log CVEs in your ticketing system with SLA (e.g., Critical = 24h, High = 7 days).