User:Guninvalid/Notability of vulnerabilities

This is an essay on notability. It contains the advice or opinions of one or more Wikipedia contributors. This page is not an encyclopedia article, nor is it one of Wikipedia's policies or guidelines, as it has not been thoroughly vetted by the community. Some essays represent widespread norms; others only represent minority viewpoints.

Vulnerabilities are extremely common in any substantial system or application. Some are catastrophic, potentially allowing complete system compromise and potentially even human death. Some are better described as typos. Not every vulnerability is notable. This essay provides a brief description of factors which can make a vulnerability notable for either an article or for inclusion on a broader page.

For any topic to meet notability for a standalone article, it must meet Wikipedia's policies on notability. For vulnerabilities, the gold standard is that they should have been described in detail in papers published in journals, preferably more than one.

CVEs rarely meet this line without being given a proper name. As a general rule, if a CVE is only known by its number, it is not notable enough for an article. On the other hand, if there is an established common name that is different from the CVE, it is likely that the name was given in published journal papers, and thus it is likely to be notable. Notable CVEs include Heartbleed (CVE-2014-0160).

Many CVEs do receive significant coverage, but much of it is considered run-of-the-mil. In these cases, if a significant number of articles is discussing these vulnerabilities in-depth, it may be considered notable enough for an article on the application itself, such as CVE-2025-22230 currently listed under VMware#Incidents.