How to Manage CVEs

Knowing that software vulnerabilities exist is one thing. Managing them is another thing altogether.

In this course, you’ll learn how to identify, prioritize, and remediate Common Vulnerabilities and Exposures (CVEs) in your software systems. You’ll start by exploring Software Bills of Materials (SBOMs), structured inventories that give you visibility into what’s running in your codebase. Then, you’ll dive into vulnerability scanners, learning how they detect issues and why false positives (and negatives) can make life tricky.

You’ll also get hands-on with VEX and OpenVEX, frameworks that help filter out low-priority vulnerabilities and share security insights across teams. By the end, you’ll understand the full lifecycle of CVE management—from discovery and triage to remediation and attestation—and how modern tools are making it faster and more reliable.

Whether you’re new to vulnerability management or looking to improve your team’s workflow, this course gives you the practical foundations for handling CVEs with confidence.

By the end of this course, you will be able to:

• Explain the purpose and structure of a Software Bill of Materials (SBOM).
• Evaluate the quality of an SBOM and describe the NTIA’s “minimum elements.”
• Use vulnerability scanners to identify and assess CVEs in container images.
• Distinguish between true positives, false positives, and false negatives in scanner results.
• Apply strategies for triaging vulnerabilities based on severity, exploitability, and business impact.
• Describe the role of VEX and OpenVEX in filtering and communicating vulnerability information.
• Outline the process of remediating vulnerabilities through patching, configuration, and verification.
• Understand how attestation and provenance strengthen vulnerability management practices.