|
CVE-Compatible Products and Services
The products and services listed below have achieved the final stage of MITRE's formal CVE
Compatibility Process and are now "Officially CVE-Compatible." Each organization's product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE
Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations
Participating page as part of their product listings.
Products that have completed the compatibility process and are awaiting review by MITRE are posted below in the Compatible
- Under Review section.
Organizations are listed alphabetically:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
AdventNet, Inc.Quote/Declaration: "AdventNet is pleased to support CVE names in the vulnerability database of the
SecureCentral product line, as part of our commitment to embracing industry
standards." | Last Updated: September 29, 2008 |
|
Archer TechnologiesQuote/Declaration: "Archer Technologies Enterprise Security Management is a knowledge management system
for the collection, management and distribution of critical security content such as
vulnerabilities, technical baselines, control standards and information security
policies as they relate to specific risk that IT assets face within the enterprise. The
Archer Technologies product suite strongly supports the CVE standard, which greatly
assists in our integration with other security products and vendors. The CVE mapping
enables our clients to intelligently analyze, cross reference and search vulnerabilities
that affect their organization."
— Jon Darbyshire, CEO, Archer Technologies LLC | Last Updated: March 12, 2008 |
|
ArcSight, Inc.Quote/Declaration: "As a pioneer and leading provider of security management solutions for the enterprise
ArcSight actively promotes and supports open systems standards such as CVE. ArcSight
uses cross-device correlation to detect sophisticated multi-source, multi-target attacks
while keying into the correct policies and procedures for response via the CVE names. It
enables security experts and IT managers to cross-correlate information and references
about different threats reported by disparate security products and solutions
— a necessity to understand the real impact of vulnerabilities and
attacks." | Last Updated: September 25, 2008 |
|
Assuria LimitedQuote/Declaration: "Assuria Auditor (formerly ISS System Scanner) was previously certified as ISS System
Scanner. Assuria have enhanced and added functionality and features around CVE reporting
in the product." | Last Updated: February 19, 2008 |
|
Beijing Topsec Co., Ltd.| Last Updated: October 19, 2009 |
|
Beijing Venus Information Security Technology, Inc.Quote/Declaration: "Venus Information Technology, Inc. aims to provide users a series of network security
products along with our own independent intellectual property and complied with
international standard, CVE. Beyond product, we can deliver customers life-cycle
services including consulting, design, implementation, maintenance and training."
— Helen Wang | Last Updated: September 29, 2008 |
|
Beyond Security Ltd.Quote/Declaration: "Beyond Security Ltd.'s Automated Scanning provides users with a complete picture of
the security of their organization by leveraging the huge SecuriTeam.com knowledgebase.
As such, we see high importance for the CVE naming scheme, which provides a global
independent reference for known security vulnerabilities." | Last Updated: September 29, 2008 |
|
CAQuote/Declaration: "As a respected member of the MITRE CVE Editorial Board and a global leader in
security, Computer Associates International, Inc (CA) is fully committed to supporting
the MITRE CVE Initiative. With the increasing number of vulnerabilities, CA recognizes
the need and the importance for a common vulnerability naming and enumerating standard.
CA Threat Research Team leverages the CVE List by correlating our vulnerability database
with the MITRE CVE List. By providing this information to our customers through our
Threat Management products — eTrust Vulnerability Manager, and eTrust
Policy Compliance, users can quickly and accurately identify a common vulnerability name
and number, and in addition cross-reference this information with other sources and
products that are CVE-compatible." | Last Updated: September 16, 2008 |
|
CatbirdQuote/Declaration: "Catbird V-Security is a comprehensive security and compliance solution for virtual
and physical infrastructures, delivering best-practice security for Hypervisor, Guest
VMs and Policy/Regulatory Compliance. Cross-indexing the CVE in reports we present to
our partners and customers assists them in building effective security programs." | Last Updated: December 4, 2009 |
|
Critical WatchQuote/Declaration: "Critical Watch supports MITRE's CVE program for standardizing a naming scheme for
vulnerabilities. Incorporating CVE names into our enterprise vulnerability management
solution enables our customers to act swiftly and confidently to collapse windows of
exposure."
— Nelson Bunker Chief Security Officer | Last Updated: September 29, 2008 |
|
DragonSoft Security Associates, Inc.Quote/Declaration: "DragonSoft Security Associates, Inc. believes that CVE provides the correct direction
to a uniform and consistent representation of vulnerabilities and exposures information.
As a company which research and design vulnerabilities and exposures detecting software,
we are very desirous to providing CVE compatible product to our customers that
researches and designs software for detecting vulnerabilities and exposures, we believe
it is important to provide CVE-compatible products to our customers." | Last Updated: April 30, 2007 |
|
Easy Solutions, Inc.Quote/Declaration: "As a leader and innovation in the security industry, Easy Solutions, Inc. is pleased to announce compatibility with the CVE Initiative"
— Ricardo E. Villadiego, Regional Director, Americas, Easy Solutions, Inc. | Last Updated: November 27, 2009 |
|
eEye Digital SecurityQuote/Declaration: "eEye Digital Security is an innovative leader in vulnerability and security research,
providing security solutions that help businesses and users protect their systems and
intellectual property from compromise. eEye enables secure computing through
world-renowned research and innovative technology, supplying the world's largest
businesses with an integrated and research-driven vulnerability assessment, intrusion
prevention, and client security solution. eEye is pleased to support the CVE Initiative
and will continue to promote the standardization of the CVE naming convention and
vulnerability identification. " | Last Updated: March 3, 2009 |
|
FuJian RongJi Software Company, LtdQuote/Declaration: "FuJian RongJi Software Company, Ltd., in association with the Institute of High
Energy Physics, the Chinese Academy of Sciences, has developed the RJ-iTop Network
Vulnerability Scanner System, which provides CVE Output and is CVE Searchable. In
addition, its database is fully searchable by keyword, CVE name, or candidate number. We
have made our product compatible with CVE so that administrators can easily
differentiate which is the best product for them among the different security
products."
— C. Shanmao Lin, RongJi Enterprise | Last Updated: March 18, 2008 |
|
GFI Software Ltd.Quote/Declaration: "GFI recognizes the importance of standards in a field which is encountering even
bigger challenges, variation of attacks and abuses of IT systems. While searching for a
standard which will allow us to adhere to as well as encourage our customers to refer to
vulnerabilities in a particular format, we found a perfect synergy between our
technology and CVE. We believe that such integration will provide a common ground for
our customers and security administrators out there to share and unify experiences
against these ever increasing threats." | Last Updated: March 12, 2008 |
|
H3C Technologies Co., LimitedQuote/Declaration: "H3C Technologies Co., Limited has made our IPS product compatible with CVE for the
benefit of our customers and to support industry standards." | Last Updated: October 19, 2009 |
|
IBMQuote/Declaration: "IBM actively promotes, supports, and contributes to the emerging open systems
standards such as CVE that enable technology management software such as IBM Tivoli Risk
Manager and IBM Tivoli Security Operations Manager, intrusion detection, vulnerability
assessment, and security management components to inter-operate and share management
information. We know that open system standards are a critical step in this direction.
We support CVE as the first and the most complete naming convention for vulnerability
mapping in the industry and we are committed to using CVE within our product in a
tightly integrated fashion." | Last Updated: September 25, 2008 |
|
IBM Internet Security SystemsQuote/Declaration: "The CVE naming standard developed by MITRE represents a significant leap forward for
the information security industry and end user community. As a technology pioneer and
leading provider of security management software and services, IBM Internet Security
Systems is pleased to be a part of this important initiative as we move toward a
standard that is crucial to the effective protection of every organization's critical
digital assets."
— Christopher Klaus, Founder and Chief Technology Officer | Last Updated: September 29, 2008 |
|
IBM RationalQuote/Declaration: "Watchfire's AppScan automates web application security audits to help ensure the
security and compliance of websites. The use of CVE referencing in AppScan further
enhances the information available to our users concerning Web application security
vulnerabilities by cross referencing such information with a list of industry standard
names." | Last Updated: April 14, 2008 |
|
Information-technology Promotion Agency, Japan (IPA)Quote/Declaration: "IPA is proud to incorporate CVE in our product line. Our main product, JVN iPedia is
a vulnerability database that stores summary and countermeasure information on domestic
and overseas software products used in Japan. JVN iPedia is equipped with search
functions (Keyword, Product, CVSS, CVE, etc.) and RSS feeds, which provides the
accumulated data in a comprehensive manner." | Last Updated: January 8, 2010 |
|
Information Risk Management PlcQuote/Declaration: "IRM ensures that clients acquire and maintain the core elements of information
security by providing product-independent, expert, and impartial consulting services to
organisations wishing to examine and improve the security of their information assets.
It is essential that open and standardised vulnerability descriptions and metrics
integrate into IRM's methodology and output so that clients may be assured of a common
reference to findings and recommendations. CVE provides such a mechanism and is vital in
providing meaningful security threat results." | Last Updated: September 16, 2008 |
|
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and
Information-technology Promotion Agency, Japan (IPA)Quote/Declaration: "Under the Information Security Early Warning Partnership in Japan, IPA receives
private vulnerability reports and JPCERT/CC coordinates with developers to prepare
patches or remedies. JVN provides infomation such as solution, vulnerability analysis by
JPCERT/CC, and vender notes. JVN contains CVE information as well as vulnerability
attribute information." | Last Updated: January 8, 2010 |
|
Kingnet Security, Inc.Quote/Declaration: "Kingnet Security plays a leading role in network security industry in China. We want
our KIDS intrusion detection system to be compatible to the CVE standard so as to bring
as much value to our customers as possible." | Last Updated: April 30, 2007 |
|
LANDesk Software Inc.Quote/Declaration: "LANDesk Security and Patch manager supports the CVE naming standard, it's a simple
and practical way to ensure that a vulnerability definition means the same thing to
different people." | Last Updated: March 29, 2007 |
|
Lenovo Security Inc.| Last Updated: October 13, 2009 |
|
Lumension Security, Inc.Quote/Declaration: "Lumension Security (formerly PatchLink Corporation) is in the vulnerability
management business and as such fully recognizes the value of using CVE names. All of
our patches have CVE codes in them." | Last Updated: September 29, 2008 |
|
McAfee, Inc.Quote/Declaration: "Because of today's ever changing threats, and vulnerability data a consent must be
had to properly identify each. In the malicious code area these naming conventions exist
and are very beneficial. The MITRE CVE program provides a naming standard that can be
relied on when there is confusion or no standards agreed upon providing a method by
which system administrators and other users can search the Internet to get the
information on the same vulnerability via various sources."
— Carl Banzhof - Vice President and Chief Technology Evangelist,
McAfee | Last Updated: September 25, 2008 |
|
MITRE CorporationQuote/Declaration: "OVAL provides a common language for security experts to discuss the technical details
of how to check for the presence of vulnerabilities and configuration issues on local
systems. The results of the discussions are collaboratively developed XML vulnerability,
patch, and compliance definitions that are based on a common OVAL Schema and perform the
checks. CVE names are used as the basis for all OVAL vulnerability definitions currently
collected on the OVAL Web site. For each CVE name, there are one or more OVAL
vulnerability definitions that measure the presence of that vulnerability on an end
system. OVAL vulnerability definitions on the OVAL Web site can be searched by CVE name
with entry or candidate status, and vulnerability definitions called up for review
include CVE names."
— Pete Tasker, Executive Director, Security and Info Operations
Division | Last Updated: April 30, 2007 |
|
National Institute of Standards and TechnologyQuote/Declaration: "The National Vulnerability Database contains all CVE information as well as
vulnerability attribute information (e.g. vulnerable version numbers), direct access to
U.S. government vulnerability resources, and annotated links to industry resources. The
underlying data in the database is provided license free via an XML feed." | Last Updated: February 19, 2008 |
|
nCircle Network Security, Inc.Quote/Declaration: "nCircle actively supports standardization efforts in the security market, including
the CVE's common lexicon for the vulnerability namespace. As a member of the CVE
editorial board, we are committed to ensuring nCircle's IP360 product continues to
support CVE names and provides customers with an enterprise-class complete lifecycle
approach to vulnerability management. Ultimately, this enables customer to find and
eliminate vulnerabilities before they can be exploited, ensure security policy
compliance and meaningfully measure and manage business risk."
— Tim Keanini, CTO | Last Updated: November 8, 2004 |
|
NetClarityQuote/Declaration: "NetClarity is a strong proponent of the CVE dictionary. The Auditor family of
appliances automatically audit networks and reports those vulnerabilities discovered by
our patent-pending vulnerability assessment engine. With CVE-specific information and
remediation instructions, we enable our customers to better manage their risks, comply
with regulations, and protect their assets."
— Gary S. Miliefsky, CTO, CISSP, NetClarity, Inc. | Last Updated: February 14, 2006 |
|
Netcraft Ltd.Quote/Declaration: "Netcraft is pleased to be able to offer mappings between its vulnerability scanner
and the CVE dictionary. We see CVE as an important security administration tool, linking
our services to a wider variety of other security devices, services and sources of
security information." | Last Updated: October 19, 2009 |
|
netVigilance, Inc.Quote/Declaration: "The SecureScout line of vulnerability assessment solutions, fully supports CVE
references; our speed and ease of use enable users to more efficiently verify CVE
coverage." | Last Updated: September 25, 2008 |
|
NileSOFT Ltd.Quote/Declaration: "NileSOFT is proud to incorporate CVE in our product line. Our main products,
Secuguard SSE (Host based Vulnerability Assessment Tool), Secuguard NSE (Network based
Vulnerability Assessment Tool), mySSE for Web (Online PC Vulnerability Assessment
Service), and LogCOPS (Enterprise Log Analysis and Management System) will continue to
maintain the latest version of CVE." | Last Updated: April 30, 2007 |
|
NSFocus Information Technology (Beijing) Co., Ltd.Quote/Declaration: "CVE has made significant efforts to standardize the names for vulnerabilities,
eliminate the potential gap in security coverage and provide easier interoperability
among different security products. NSFocus strives to deliver customers the enhanced
security by series of products with full support for the CVE standard." | Last Updated: September 30, 2008 |
|
NX Security| Last Updated: April 30, 2007 |
|
Rapid 7, Inc.Quote/Declaration: "As the provider of NeXpose, an enterprise vulnerability management product developed
to accurately identify security weaknesses in an enterprise network, Rapid7 supports the
CVE standard. With the volume of new vulnerabilities being found, a standard such as CVE
enables all security vendors to be clear about what exposures their products have found,
enabling the security staff to better understand what is being reported by disparate
security products and how to remedy the issue." | Last Updated: June 19, 2006 |
|
Red HatQuote/Declaration: "It is often confusing when the same security issues get fixed by different vendors in
different ways with different names and descriptions. We see the CVE Initiative as the
way to solve this problem, giving the community accurate information on which they can
base their security decisions. We are working with MITRE to contribute and validate new
entries as well as publish CVE entries in our security advisories."
— Mark Cox, Senior Director of Engineering | Last Updated: April 30, 2007 |
|
SAINT CorporationQuote/Declaration: "SAINT, WebSAINT, and SAINTbox vulnerability reports and tutorials include relevant
CVE links, providing the user with easy reference to related information and a basis for
determining the extent of each product's capabilities. SAINTmanager vulnerability
reports and tutorials include relevant CVE links, providing the user with easy reference
to related information and a basis for determining the extent of SAINTmanager's
capabilities. SAINT, WebSAINT, and SAINTbox are also CVE searchable with a CVE
cross-reference that maps the CVE entries to the SAINT tutorials, while SAINTmanager is
CVE searchable with a CVE cross-reference that maps the CVE entries to the corresponding
SAINTmanager vulnerability IDs. We will continue to keep all SAINT products updated with
the latest CVE numbers as they become available." | Last Updated: April 30, 2007 |
|
Secure Elements, IncorporatedQuote/Declaration: "C5 EVM combines vulnerability information from a myriad of sources to provide the
most complete coverage possible for our customers. By relying on CVE, C5 EVM seamlessly
integrates the information, providing our customers the highest level of protection
available."
— Dan Bezilla, CTO | Last Updated: April 30, 2007 |
|
SecureInfo CorporationQuote/Declaration: "SecureInfo RMS, award-winning certification and accreditation software, is
CVE-compatible. Supporting CVE is an important part of our vision in providing
continuous monitoring capabilities in support of FISMA and our customer's information
security programs."
— Roberto R. Garcia, V.P. Product Engineering | Last Updated: February 19, 2008 |
|
Silicomp-AQLQuote/Declaration: "CVE compatibility ensures that administrators can easily use different security
products in order to find additional information they need." Quote (French): "La compatibilité CVE permet aux administrateurs de
naviguer entre les différents produits de
sécurité, afin d'y trouver les compléments
d'information dont ils ont besoin." | Last Updated: September 22, 2005 |
|
Skybox Security Inc.Quote/Declaration: "Skybox Security supports standards such as CVE that promote interoperability of
security products. Skybox View, our exposure risk management solution, uses CVE names in
its vulnerability dictionary and cross-references these to vulnerabilities imported by
all vulnerability scanners such as Nessus, eEye Retina, ISS Internet Scanner, Qualys,
and other market leaders. By running attack simulations against a virtual model of the
network, Skybox View reveals vulnerabilities, based on CVE names, that are truly
critical because they lie along an attack path to critical business applications. The
CVE Initiative allows security professionals to understand risks and exposures in terms
that can be cross-referenced to other security products - a growing necessity as more
and more solutions automate the risk management process." | Last Updated: September 25, 2008 |
|
Software in the Public Interest, Inc.Quote/Declaration: "Debian developers understand the need to provide accurate and up-to-date information
of the security status of the Debian distribution, allowing users to manage the risk
associated with new security vulnerabilities. CVE enables us to provide standardized
references that allow users to develop a CVE-enabled security management
process." | Last Updated: February 24, 2004 |
|
SymantecQuote/Declaration: "Symantec maintains one of the largest vulnerability databases available today.
Consisting of over 9000 distinct vulnerability records, we have strived to maintain CVE
compliance from the outset of the CVE Initiative." "Symantec fully supports an industry-wide standard for the indexing of
vulnerabilities. Our public web sites (SecurityFocus and SecurityResponse), and our
commercial alerting services (DeepSight Alert Services) fully conform to the CVE
requirements. This allows our customers to search for, and research vulnerabilities and
blended threats using this common nomenclature. Symantec's wide range of security
products utilize the industry-leading vulnerability database and employ trusted, fast
and automated response capabilities to identify threats identified by CVE." | Last Updated: September 30, 2008 |
|
Tenable Network Security Inc.Quote/Declaration: "Tenable Network Security utilizes the CVE program to tag each of our vulnerabilities
detected by Nessus and the Passive Vulnerability Scanner. This information is also
heavily used through the Security Center for reporting, education, IDS event correlation
and linking with 3rd party security information." | Last Updated: November 13, 2009 |
|
ThreatGuard, Inc.Quote/Declaration: "Recognizing the importance of common indexing of known vulnerabilities, ThreatGuard
has included CVE references in ThreatGuard VMS and ThreatGuard Traveler. These
references are seamlessly integrated with the ThreatGuard Navigator client application,
reports, and search engine. As we release new vulnerability tests, it is among
ThreatGuard's top priorities to ensure CVE referencing is included and accurate,
extending the efforts of the CVE initiative." | Last Updated: September 30, 2008 |
|
TippingPoint TechnologiesQuote/Declaration: "TippingPoint is in the business of simplifying security. We are a strong proponent of
MITRE's CVE standards initiative." | Last Updated: November 23, 2009 |
|
TMC y CiaQuote/Declaration: "We have aligned our service/appliance FAV with the CVE vulnerabilities standard for
the benefit of our customers." | Last Updated: October 13, 2009 |
|
Trend Micro, Inc.| Last Updated: November 8, 2004 |
|
Trustwave| Last Updated: October 19, 2009 |
|
Under Review
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
|
|
