From 7e29d945ba9d67951eb92ebe1539fa012ff16ec7 Mon Sep 17 00:00:00 2001
From: laumane <58359255+laumane@users.noreply.github.com>
Date: Wed, 4 May 2022 07:43:13 +0200
Subject: [PATCH] Add answer to CVE and CVSS question (#231)

* Add answer to CVE and CVSS question

Question : Explain CVE and CVSS
What do you think ?

* Update answer CVE and CVSS question

Details added + some links
---
 exercises/security/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/exercises/security/README.md b/exercises/security/README.md
index a479705..cc597d7 100644
--- a/exercises/security/README.md
+++ b/exercises/security/README.md
@@ -256,6 +256,12 @@ You can test by using a stored procedure, so the application must be sanitize th
 
 <details>
 <summary>Explain CVE and CVSS</summary><br><b>
+ 
+  [Red Hat](https://www.redhat.com/en/topics/security/what-is-cve#how-does-it-work) : "When someone refers to a CVE (Common Vulnerabilities and Exposures), they mean a security flaw that's been assigned a CVE ID number. They don’t include technical data, or information about risks, impacts, and fixes." So CVE is just identified by an ID written with 8 digits. The CVE ID have the following format:  CVE prefix + Year + Arbitrary Digits.
+ Anyone can submit a vulnerability, [Exploit Database](https://www.exploit-db.com/submit) explains how it works to submit.
+  
+Then CVSS stands for Common Vulnerability Scoring System, it attemps to assign severity scores to vulnerabilities, allowing to ordonnance and prioritize responses and ressources according to threat. 
+ 
 </b></details>
 
 <details>