Compare

Two terms, side by side

Pick any two terms to see definitions, context, pitfalls, and sources in parallel.

Cybersecurity

Common Vulnerabilities and Exposures(CVE)

In one line

A globally unique identifier for a publicly disclosed cybersecurity vulnerability.

Definition

Common Vulnerabilities and Exposures (CVE) is a public catalog of disclosed cybersecurity vulnerabilities, each assigned a unique CVE ID (e.g., CVE-2024-12345). The program is operated by MITRE and sponsored by CISA. CVE IDs are the lingua franca of vulnerability management - they let manufacturers, hospitals, researchers, and security tooling refer to the same vulnerability unambiguously across SBOMs, advisories, vulnerability scanners, and patch notes.

Why it matters

Modern MedTech vulnerability programs ingest CVE feeds (NVD, OSV.dev, vendor advisories) automatically, match them against each device's SBOM, and route confirmed-applicable CVEs into the existing CAPA or post-market surveillance workflow. VEX statements communicate exploitability decisions to operators so hospitals don't have to triage every CVE themselves.

Common pitfalls

•Treating CVSS score alone as the prioritization signal - exploitability and reachability matter more than headline severity.
•Manually tracking CVEs without automation against the SBOM - humans miss them.
•Failing to publish VEX statements, leaving hospitals to assume every CVE in the SBOM is exploitable.

Sources

CVE.org · MITRE
National Vulnerability Database (NVD) · NIST
CISA Known Exploited Vulnerabilities Catalog · CISA

Open full page

Cybersecurity

Common Vulnerability Scoring System(CVSS)

In one line

An industry-standard 0–10 score that quantifies the severity of a software vulnerability.

Definition

The Common Vulnerability Scoring System (CVSS) is an open, industry-standard framework - currently at version 4.0 (2023) - for assigning a numeric severity score (0.0–10.0) to a software vulnerability. CVSS produces three score types: Base (intrinsic characteristics), Temporal/Threat (how exploitability evolves), and Environmental (impact in a specific deployment). NVD publishes Base scores for every CVE; manufacturers and operators apply Temporal and Environmental adjustments locally.

Why it matters

CVSS is most useful as a starting point for triage. Mature MedTech teams take the NVD Base score, apply Environmental modifiers (is the vulnerable code path reachable in our device? is the affected interface exposed?), and combine the result with clinical-harm severity from ISO 14971 to make patch-priority decisions.

Common pitfalls

•Patching by Base score alone - high-CVSS vulnerabilities in unreachable code waste cycles; low-CVSS vulnerabilities that bridge networks may be urgent.
•Ignoring Environmental metrics - they're the whole point of bringing CVSS into a device-specific risk decision.
•Reporting CVSS scores to operators without your VEX exploitability assessment.

Sources

Open full page

Why compare MedTech terms side by side?

MedTech terminology is full of pairs that look interchangeable but carry very different regulatory, clinical, and commercial consequences. Picking the wrong framework, pathway, or standard early in a project can add months to a submission, invalidate clinical evidence, or trigger an audit finding. Side-by-side comparison is the fastest way to surface those differences before they become costly mistakes.

Each comparison on this page pulls from the same vendor-neutral, sourced definitions used throughout the MedTech Terms glossary. You see the one-line summary, the formal definition, why it matters in practice, common pitfalls, and the primary sources (FDA guidance, EU MDR/IVDR articles, ISO/IEC standards, MDCG documents, IMDRF principles) that back each entry. That makes the comparison defensible in regulatory strategy memos, design reviews, and submission narratives.

Common comparison patterns

Regulatory pathway choice - 510(k) vs PMA, 510(k) vs De Novo, Abbreviated vs Special 510(k).
Quality systems - QSR vs ISO 13485, QMSR vs QSR.
Software classification - SaMD vs SiMD, Locked vs adaptive AI.
EU frameworks - MDR vs IVDR, CE Mark vs UKCA.
Cybersecurity artifacts - SPDX vs CycloneDX SBOM, CVE vs CVSS.
Post-market actions - Recall vs field action, Removal vs correction.

How to use this tool

Pick term A and term B from the dropdowns, or click a preset above. The URL updates with both slugs so you can bookmark or share the exact comparison with a colleague, a notified body reviewer, or your regulatory consultant. Click Open full page on either side for the complete entry, including FAQs, related terms, and the full citation list. If you are not sure which term to start with, browse the Categories view or the A-Z index.

MedTech Terms is a vendor-neutral community resource sponsored by Blue Goat Cyber. Definitions are written for educational use and are not legal or regulatory advice.