Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.
Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.
Discovered tags are about how the vulnerability was originally found.
Lifetime tags indicate how long we believe the vulnerability remained in the system.
CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.
Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected.
Project tags are the case study the vulnerability is from.
Language tags are what type of source code was fixed.
Severity tags are based on the NVD's CVSS.
Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.