Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cveplayground.com/llms.txt

Use this file to discover all available pages before exploring further.

A short reference for the words you will see repeated in the docs and the app.

CVE

Common Vulnerabilities and Exposures. A unique ID assigned to a publicly disclosed vulnerability in a piece of software. Format is CVE-YYYY-NNNNN, where the year is when the ID was assigned (not necessarily when the bug was reported) and the number is a sequential counter.

CVSS

Common Vulnerability Scoring System. A score from 0.0 to 10.0 that summarises how bad a CVE is. The score is computed from several base metrics (attack vector, complexity, privileges required, user interaction, scope, and the impact on confidentiality, integrity, and availability). CVSS is shown on each lab when it is available.

Severity

A coarse bucket derived from CVSS:
  • Low: 0.1 to 3.9
  • Medium: 4.0 to 6.9
  • High: 7.0 to 8.9
  • Critical: 9.0 to 10.0
Severity is what the lab card shows. The numeric CVSS is on the lab detail page.

Sandbox

A private container the platform spins up for you when you open a lab or challenge. It runs the vulnerable application, has a private URL only you can reach, and is destroyed when you stop it or when its time budget runs out. See sandboxes.

Lab

A five step walkthrough of a real CVE, with a brief, the vulnerable code, a reproduction, the patch, and a hardening discussion. Each step has one multiple choice question. See guided labs.

Challenge

A target with a real CVE behind it and a flag to capture, but no walkthrough. You launch the sandbox, exploit the bug, and submit the flag. See challenges.

Flag

A short string the platform plants inside a challenge sandbox in a place only an attacker who has actually exploited the bug can reach. Submitting the correct flag completes the challenge.

First blood

The first person to complete a lab or capture the flag on a challenge after it ships. Their handle and the timestamp are recorded on the lab or challenge page.

XP

Experience points. Awarded per question on the first correct answer (for labs) or for completing a challenge. XP is the basis of leaderboard ranking. It does not decay and cannot go down.

Streak

The number of consecutive days you have answered at least one question correctly. The current and longest streaks both appear on your profile. The clock runs in the time zone you set in settings.

Handle

Your username on the platform. Lowercase letters, numbers, and dashes. Shows up in URLs (/u/your-handle), on the leaderboard, and on first blood records. Different from display name, which is freely changeable.

Display name

The friendly label next to your avatar. Change it any time in settings. Does not affect your handle or your URL.

MCQ

Multiple choice question. The platform’s question format: four labelled choices, one correct answer. See questions and XP.

Dwell

The three second wait between when a question loads and when the submit button becomes clickable. Designed to make you read.

Patch log

The chronological record of every lab and challenge you have completed. Shows on your profile, public and private. Doubles as a portfolio.

Heatmap

The calendar visualisation of your daily activity. Each square is a day, coloured by how many questions you answered correctly that day. On the dashboard and on the profile.

Badge

A milestone marker. Some are easy (first lab completed); some take a while (long streaks, multiple bugs in a class). They live on the badge wall on your profile.

Vulnerability class

A category of bug. Examples: SQL injection, path traversal, server side request forgery, prototype pollution, insecure deserialization, command injection. The labs catalog can be filtered by class.

PoC

Proof of concept. A minimal demonstration that a vulnerability can be exploited. Most labs include a PoC in the reproduce step.

Upstream advisory

The vendor’s published note about a CVE, usually with affected versions, the patch commit, and a workaround if one exists. Linked from each lab when the advisory is public.