New web page on CVE Compatibility and Status
We will soon be updating our CVE-Compatible web page to contain
summary and status information for all tools, databases and archives
that expect to become CVE-compatible. This will allow us to present
the intentions of various organizations before we finish formalizing
what CVE compatibility really means.
We will add any organization that makes a public "Declaration of
Intent" (or its equivalent) to become CVE compatible. While most
Board members have told MITRE that they will make their
products/repositories CVE compatible, not all of them have made a
public statement to this effect yet. NTBugtraq, CERT, Cisco, SANS,
and CyberSafe have made public declarations, either in press or to a
broad audience. Security Focus has effectively made a public
declaration by including CVE names in its online database.
While this is still in its early stages, we encourage you to begin to
compile the requisite information about your organization's tools or
products, which we will then add to the CVE compatibility web page.
The most likely format will be a listing of tools and repositories
with the following information:
Type: IDS tool / Assessment tool / Security tool /
Database / Advisory archive / Educational material
CVE Output: yes/no [includes CVE names in output]
CVE Searchable: yes/no [user can locate items by CVE name]
Organization Comments: [a place for your organization to make brief
statements of intent or current status]
Web Site: [a link to the associated web site]
Contact Information: [name, address, e-mail, etc.]
This list could be ordered alphabetically by organization name, or by
the first date of the organization's public declaration of their
intentions to become CVE compatible.
At present, we anticipate updating this web page every 2 weeks or so.
We hope to make the first major update with the first round of
information on November 1.