From helpnetsecurity.com
When considering vulnerability management’s purpose in a modern world, it’s imperative to recognize the huge transition to new technologies and how you manage risk within these different paradigms and environments (e.g., the cloud). Patch network security isn’t applicable in the same way for cloud environments, and few cloud providers assign Common Vulnerabilities and Exposures (CVE) identifiers to vulnerabilities.
For vulnerability management teams who talk exclusively in this CVE-based construct, the lack of CVEs in cloud services is a significant challenge. With cloud-specific vulnerabilities littering the news every week, the question of whether cloud service providers should use CVE identifiers (or something like it) is more relevant than ever.