One of the questions on the Professional Cloud Architect exam asks how you would research a list of Linux CVEs your security team handed you, in the context of a migration to Google Cloud. The phrasing varies, but the answer pattern is the same every time: check the Google Cloud Security Bulletins, and open a support case for guidance specific to your migration.
This article walks through what each of those resources is, why both show up as correct answers, and which lookalike options are designed to trip you up.
A CVE, or Common Vulnerability and Exposure, is a public identifier for a known security flaw in a piece of software. The list is maintained by MITRE and used across the industry as a shared reference. When your security team says "here are the CVEs that affect our Linux fleet," they are giving you a list of well-documented vulnerabilities with assigned IDs that any vendor or researcher can look up.
The exam scenario is almost always a migration. You are moving an application from a private data center to Google Cloud, and someone hands you a list of CVEs. The question is what you do next to figure out how those vulnerabilities affect the move.
The first correct answer is to check the Google Cloud Security Bulletins. These are published by Google and describe how specific CVEs affect Google Cloud services. If a kernel-level vulnerability impacts Compute Engine, GKE, or Cloud Run, the bulletin will say so. It will also describe what Google has already patched on the platform side and what you, as the customer, still need to do on your own VMs or container images.
This is the right starting point because it tells you whether your migration target is already exposed, already mitigated, or somewhere in between. You do not have to guess, and you do not have to ask Google whether their managed components are patched. The bulletins are the public record.
The second correct answer is to open a support case. The bulletins are general. Your migration is specific. You have a particular application, particular dependencies, particular network and identity configuration. Support engineers can take your CVE list and your migration design and give you guidance that the bulletins cannot, because the bulletins do not know what you are deploying.
On the exam, both answers are correct because they cover two different layers. The bulletins tell you what is true about Google Cloud as a platform. Support tells you what is true about your migration in particular.
The distractors on this kind of question are usually:
If you see "Security Bulletins" and "open a support case" in the answer list, those are almost always the two you want.
The pattern to memorize is short. CVEs are public vulnerability IDs. Google Cloud Security Bulletins tell you how those CVEs affect Google Cloud services. Google Cloud Support tells you how those CVEs affect your specific workload. Anything else, status dashboards, forums, raw CVE entries, is not the answer the Professional Cloud Architect exam is looking for in this scenario.
My Professional Cloud Architect course covers CVEs and Google Cloud support workflows alongside the rest of the architecture and compliance material.
