2005 News & Events (Archive)

December 8, 2005

CVE Names Included in Consensus List of "Top Twenty" Internet Security Threats

The recently updated Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on November 22, 2005 and includes 241 CVE names. According to the SANS Web site, this latest version of the Top Twenty "is a marked deviation from the previous Top-20 lists. In addition to Windows and UNIX categories, we have also included Cross-Platform Applications and Networking Products. The change reflects the dynamic nature of the evolving threat landscape. Unlike the previous Top-20 lists, this list is not "cumulative" in nature. We have only listed critical vulnerabilities from the past year and a half or so. If you have not patched your systems for a length of time, it is highly recommended that you first patch the vulnerabilities listed in the Top-20 2004 list."

Version 6.0 of the updated list includes CVE names with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible products and services to help make their networks more secure.

SANS is a member of the CVE Editorial Board and its education and training materials are listed on the CVE-Compatible Products and Services page.

SAINT Corporation Makes Declaration of CVE Compatibility

SAINT Corporation declared that its network vulnerability assessment management console, SAINTmanager, is CVE-compatible. Three other SAINT products are also listed on the CVE-Compatible Products and Services page, all three of which—SAINT (Security Administrator's Integrated Network Tool), SAINTbox, and WebSAINT—are Officially CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

FrSIRT Makes Declaration of CVE Compatibility

French Security Incident Response Team (FrSIRT) declared that its FrSIRT Security Advisories are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

842 CVE Names with Candidate Status Added to CVE List in November

842 CVE names with candidate status were added to the CVE List in November 2005. As of November 30, 2005, there were 13,685 CVE names with entry or candidate status posted on the List with 3,052 posted as official entries and 11,317 as candidates. New candidates are added daily. Refer to the Get CVE page for the most recent breakdown of total names and total candidates, and to review, search, or download the CVE List. Use CVE Change Logs, a free tool from CERIAS/Purdue University, to review the additions for November or any month.

Detailed information about how we build the CVE List is available in the CVE Naming Process and CVE Content Decisions sections.

CVE Mentioned in Product Review in SC Magazine

CVE was mentioned in the first sentence of a November 1, 2005 product review in SC Magazine entitled "Auditor Enterprise." CVE is mentioned as follows: "Netclarity's distinctive green 1U rack mount Auditor Enterprise device is described as a CVE (Common Vulnerabilities and Exposures)-compliant network security system. It offers vulnerability assessment functions to help firms comply with corporate governance legislation by conducting an audit against pre-defined CVE vulnerabilities. This helps endpoint security by quarantining infected systems until they are remediated."

Four NetClarity, Inc. (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of which—NetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Service—are "Officially CVE-Compatible."

CVE Mentioned in Article about National Vulnerability Database on SecurityFocus.com

CVE was mentioned in a December 2, 2005 article about the U.S. National Vulnerability Database (NVD) entitled "Federal flaw database commits to grading system" on SecurityFocus.com. CVE is mentioned as follows: "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... The CVE, a listing of serious vulnerabilities maintained by the MITRE Corporation, expands on the Internet Catalog (ICAT)--a previous NIST project--that archived the vulnerabilities defined by the Common Vulnerability and Exposures list. The NVD team scored the vulnerabilities using an automated process. The CVE [List] only had about 80 percent of the information needed to give an exact score ... so the group has generated the scores based on the information at hand and labeled each one "approximate." The CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... "

CVE is also mentioned in the article in a discussion of NVD's adoption of the Common Vulnerability Scoring System (CVSS) by Gerhard Eschelbeck, chief technology officer for Qualys, Inc. and "one of the founding members" of the CVSS team, who states: "The grading of the previous vulnerabilities on the CVE List solves a problem that hampered adoption of the Common Vulnerability Scoring System. With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released? It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."

NVD, CVE, and OVAL are sponsored by the U.S. Department of Homeland Security.

November 21, 2005

Symantec Corporation Makes Declaration of CVE Compatibility

Symantec Corporation declared that its threat management system, Symantec Network Security 7100 Network Appliance, is CVE-compatible. Ten other Symantec products are also listed on the CVE-Compatible Products and Services page, two of which—DeepSight Alert Services and SecurityFocus Vulnerability Database—are Officially CVE-Compatible.

For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

ThreatGuard, Inc. Makes Declaration of CVE Compatibility

ThreatGuard, Inc. declared that its threat management product, ThreatGuard Traveler, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Gazos Creek, Inc. Makes Declaration of CVE Compatibility

Gazos Creek, Inc. declared that its security and network management service, netSense, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

CVE Hosts Booth at 32nd Annual CSI Conference

MITRE hosted a CVE/OVAL/CME exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, in Washington, D.C., USA. The conference exposed CVE, OVAL, and CME to information security and network professionals from industry, academia, and government.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, CME, and/or other vulnerability management topics at your event.

CVE Presents Briefing at VISION 2005

CVE Team Member Matthew N. Wojcik presented a briefing about CVE and OVAL entitled Enablers to Cybersecurity Transformation in the "Protection of Information" track at The Shepard Group's VISION 2005 on November 8, 2005, at Ibis London Earl's Court, UK. The conference itself ran November 7th - 9th.

Visit the CVE Calendar page for information on this and other upcoming events.

CVE Presents Briefing at FIAC 2005

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE, OVAL, and CME entitled Managing to Make Secure Systems in the Vulnerability Management portion of the "Leveraging Technology to Bridge the Security Gap" track at Federal Information Assurance Conference (FIAC) 2005 on October 26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA.

Visit the CVE Calendar page for information on this and other upcoming events.

October 19, 2005

CVE List Naming Scheme Modified on October 19th

The CVE List numbering scheme was modified on October 19, 2005. This one-time change, to enhance the usability of CVE names, was a direct result of feedback from users. An initial announcement was made on April 21, 2005, and second announcement on September 5, 2005, in order to give advance notice and to minimize the amount of work required for users and vendors from the changeover.

The CVE List numbering scheme was modified to eliminate the CAN prefix in CVE names. Under the current system, the "CAN-yyyy-nnnn" identifier is eventually changed to a "CVE-yyyy-nnnn" identifier, which can result in maintenance problems and confusion. The new numbering system has the CVE prefix from the outset followed by 8 numerals and a status line designating whether the name has "Candidate," "Entry," or "Deprecated" status. Each name continues to include a brief description and references. Under the new scheme, when new CVE versions are released only the status line will be updated.

For example, CVE name CVE-1999-0067 includes the following:

CVE Name:   CVE-1999-0067
Status:   Entry
Description:   CGI phf program allows remote command execution through shell metacharacters.
References:  
  • CERT:CA-96.06.cgi_example_code
  • XF:http-cgi-phf
  • BID:629
  • OSVDB:136

Previously assigned CVE numbers will remain the same except for the prefix being updated and the addition of the status, e.g., CAN-2005-0386 has been changed to CVE-2005-0386 with "Candidate" status. Links to CANs in older advisories and news media articles will be redirected on the CVE Web site to pages with the appropriate renumbered names. The CVE Compatibility Requirements document has also been updated to conform to the modification. Please contact cve@mitre.org with any questions or concerns about the renumbering.

Blue Lane Technologies Inc. Makes Declaration of CVE Compatibility

Blue Lane Technologies Inc. declared that its inline security patch proxy tool, PatchPoint System, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

XSGuard Systems BV Makes Declaration of CVE Compatibility

XSGuard Systems BV declared that its intrusion prevention system, Prefence IPS, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

FrSIRT References CVE Names in Security Advisories

French Security Incident Response Team (FrSIRT) issued a security advisory on October 5, 2005 that referenced CAN-2005-2758 . Numerous other FrSIRT advisories also include CVE names. See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 69 organizations that are including or have included CVE names with entry or candidate status in their security advisories.

MITRE to Host CVE/OVAL Booth at CSI Conference 2005

MITRE is scheduled to host a CVE/OVAL exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, at the Marriott Wardman Hotel in Washington, D.C., USA. The conference will expose CVE and OVAL to information security and network professionals from industry, academia, and government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting.

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

October 5, 2005

CVE Mentioned in Article about 'Common Malware Enumeration' in Virus Bulletin

The success of CVE as a standard was mentioned in an article entitled "The Common Malware Enumeration Initiative" in the September 2005 issue of Virus Bulletin. The article announces the formation of the Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CME is "not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware."

CVE is mentioned by the authors of the article as follows: "CME is fashioned similarly to the Common Vulnerabilities and Exposures (CVE) initiative (https://cve.mitre.org), which is also operated by MITRE in support of US-CERT. As experience with CVE shows, once all parties have adopted a neutral, shared identification method, effective information sharing can happen faster and with more accuracy."

CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.

Application Security, Inc. Makes Declaration of CVE Compatibility

Application Security, Inc. declared that its database auditing and intrusion detection tool, AppRadar for Oracle, is CVE-compatible. In addition, nine other Application Security products are listed in the CVE-Compatible Products and Services section.

For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Computer Associates Posts CVE Compatibility Questionnaire

Computer Associates International, Inc. has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for eTrust Vulnerability Manager. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

To-date, 53 products or services from 29 organizations from industry, government, and academia organizations worldwide have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

Adobe References CVE Names in Security Advisories

Adobe Systems Incorporated issued a security advisory on August 16, 2005 that referenced CVE-2005-2470. Other Adobe advisories also include CVE names. See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 68 organizations that are including or have included CVE names with entry or candidate status in their security advisories.

MITRE to Host CVE/OVAL Booth at FIAC 2005

MITRE is scheduled to host a CVE/OVAL exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting.

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

MITRE Hosts CVE/OVAL Booth at IT Security World 2005, September 28th-29th

MITRE hosted a CVE/OVAL exhibitor booth at MISTI's IT Security World 2005 on September 28-29, 2005 in San Francisco, California, USA. The conference exposed CVE and OVAL to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Organizations listed on the CVE-Compatible Products and Services page also exhibited.

See booth photos below:


2005 IT Security World 2005 IT Security World

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

September 22, 2005

CVE Announces 'Calendar of Events' for Autumn 2005

The CVE Initiative has announced its initial calendar of events for the second half of 2005. Details regarding MITRE's scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the CVE Calendar page for information about these and other upcoming events.

September 7, 2005

CVE List to Be Renumbered on October 19th

Beginning October 19, 2005, there will be a one-time-only modification to the CVE List numbering scheme. This one-time change, to enhance the usability of CVE names, is a direct result of feedback from users. An initial announcement was made on April 21, 2005.

The CVE List numbering scheme is being modified to eliminate the CAN prefix in CVE names. Under the current system, the "CAN-yyyy-nnnn" identifier is eventually changed to a "CVE-yyyy-nnnn" identifier, which can result in maintenance problems and confusion. The new numbering system will have the CVE prefix from the outset followed by 8 numerals and a status line designating whether the name has "Candidate," "Entry," or "Deprecated" status. Each name will continue to include a brief description and references. Under the new scheme, when new CVE versions are released only the status line will be updated.

For example, CVE name CVE-1999-0067 will include the following:

CVE Name:   CVE-1999-0067
Status:   Entry
Description:   CGI phf program allows remote command execution through shell metacharacters.
References:  
  • CERT:CA-96.06.cgi_example_code
  • XF:http-cgi-phf
  • BID:629
  • OSVDB:136

Previously assigned CVE numbers will remain the same except for the prefix being updated and the addition of the status, e.g., CAN-2005-0386 will be changed to CVE-2005-0386 with "Candidate" status. Links to CANs in older advisories and news media articles will be redirected on the CVE Web site to pages with the appropriate renumbered names. We have updated the CVE Compatibility Requirements document to conform to the modification and are in the process of contacting compatible vendors directly to discuss the expected impact.

Visit the CVE Web site regularly and/or sign-up for CVE-Announce for updates on the numbering modification and other CVE issues, or contact cve@mitre.org with any questions or concerns.

MITRE to Host CVE/OVAL Booth at IT Security World 2005, September 28th-29th

MITRE is scheduled to host an CVE/OVAL exhibitor booth at MISTI's IT Security World 2005 on September 28th - 29th at the Hyatt Regency in San Francisco, California, USA. The conference will expose CVE and OVAL to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Please stop by Booth 415 and say hello. In addition, organizations listed on the CVE-Compatible Products and Services page will also be exhibiting.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

August 25, 2005

CVE Included in Article about NVD on SecurityFocus.com

CVE was included an August 12, 2005 article entitled "NIST, DHS add national vulnerability database to mix" on SecurityFocus.com. The main topic of the article is the U.S. National Vulnerability Database (NVD), the "latest U.S. Department of Homeland Security initiative to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National Strategy to Secure Cyberspace."

CVE is mentioned when the author states: "[NVD only includes] public information in its collection... The project scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities maintained by the MITRE Corporation. The NVD expands on the Internet Catalog (ICAT), a previous NIST project, that archived the vulnerabilities defined by the Common Vulnerabilities and Exposures list."

CVE is also mentioned in a quote by Peter Mell, a senior computer scientist at NIST and the creator of the NVD, who states: "The CVE [names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language." According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."

NVD, US-CERT, OVAL, and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

CVE Included in Article about NIST's National Vulnerability Database in Federal Computer Weekly

CVE was included in an August 10, 2005 article entitled "NIST releases vulnerability database" in Federal Computer Weekly. According to the article "The National Vulnerability Database (NVD) integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The Web site, nvd.nist.gov, contains about 12,000 vulnerability entries with around 10 being added per day."

CVE is mentioned as follows: "[NVD] is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard, which was developed by representatives from academia, government and industry. Maintained by MITRE Corp., CVE is a dictionary, not a database. It is designed to make it easier to share data across separate vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability between those products. NVD will aid that interoperability effort by enhancing the CVE name standard with detailed vulnerability information."

NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

CVE Included in Article about U.S. National Vulnerability Database in eWeek

CVE was included in an August 15, 2005 article entitled "NIST Unveils National Vulnerability Database" in eWeek. The main topic of the article is the U.S. National Vulnerability Database (NVD), "a database of network vulnerabilities last week to give IT security professionals a clearinghouse to keep up with newly discovered weaknesses and learn ways to remediate them."

CVE is mentioned as follows: "Users can search the database for information on any vulnerability and are able to search by keyword or CVE (Common Vulnerabilities and Exposures) number. The system also contains information on all the technical alerts and vulnerability notes that the US-CERT publishes."

NVD, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

CVE Included in Second Article about NVD in Federal Computer Weekly

CVE was included in an August 15, 2005 article entitled "NIST creates online treasure trove of security woes" in Federal Computer Weekly. The main topic of the article is the U.S. National Vulnerability Database (NVD), "a comprehensive cybersecurity database that is updated daily with the latest information on vulnerabilities in popular products."

CVE is mentioned as follows: "The database is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard developed by representatives from academia, government and industry. Maintained by MITRE, CVE is a dictionary, not a database. It is designed to make it easier to share data among vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability among those products. NVD will aid that interoperability by enhancing the CVE name standard with detailed vulnerability information."

NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

August 8, 2005

CVE the Basis for U.S. National Vulnerability Database

CVE is used as the basis for the vulnerabilities contained in the U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD). According to the NVD Web site, "NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard."

NVD is searchable by CVE Name, US-CERT Technical Alerts and/or US-CERT Vulnerability Notes, and OVAL Definition. OVAL is a baseline standards initiative for how to determine the presence of vulnerabilities and configuration issues on computer systems using community-developed XML schemas and vulnerability, compliance, and patch definitions, with each vulnerability definition based on a CVE name. The NVD homepage also includes a list of twenty of the most "Recent Vulnerabilities," all listed by CVE name.

NVD, US-CERT, OVAL, and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

NetClarity Makes Declaration of CVE Compatibility

NetClarity declared that its Vulnerability Assessment Appliance and Update Service for Consultants, NetClarity Analyst and Update Service, is CVE-compatible. NetClarity's Auditor 128 and Update Service, Auditor 16 and Update Service, and Auditor Enterprise and Update Service are also listed on the CVE-Compatible Products and Services page.

For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

NetClarity Posts CVE Compatibility Questionnaire

NetClarity has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for NetClarity Analyst and Update Service. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

To-date, 53 products or services from 29 organizations from industry, government, and academia organizations worldwide have been awarded a CVE-Compatible logo and registered as Officially CVE-Compatible. For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

NIST Posts CVE Compatibility Questionnaire

National Institute of Standards and Technology (NIST) has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for National Vulnerability Database (NVD). In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

PatchAdvisor, Inc. Posts CVE Compatibility Questionnaire

PatchAdvisor, Inc. has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for PatchAdvisor Alert. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

netForensics, Inc. Posts CVE Compatibility Questionnaire

netForensics, Inc. has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for nFX Open Security Platform (nFX OSP). In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

NSFOCUS Information Technology Co., Ltd. Posts Two CVE Compatibility Questionnaires

NSFOCUS Information Technology Co., Ltd. has achieved the second phase of the CVE Compatibility Process by posting two completed compatibility questionnaires on the CVE Web site: CVE Compatibility Questionnaire for RSAS and CVE Compatibility Questionnaire for Eye of Ice. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

NileSOFT Ltd. Posts Two CVE Compatibility Questionnaires

NileSOFT Ltd. has achieved the second phase of the CVE Compatibility Process by posting two completed compatibility questionnaires on the CVE Web site: CVE Compatibility Questionnaire for Secuguard NSE (Network Security Explorer) and CVE Compatibility Questionnaire for Secuguard SSE (System Security Explorer). In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

Rapid 7, Inc. Posts CVE Compatibility Questionnaire

Rapid 7, Inc. has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for NeXpose. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

Information Risk Management Plc Posts CVE Compatibility Questionnaire

Information Risk Management Plc has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for Security Risk Assessment. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

Beijing Topsec Co., Ltd. Posts CVE Compatibility Questionnaire

Beijing Topsec Co., Ltd. has achieved the second phase of the CVE Compatibility Process by posting a CVE Compatibility Questionnaire for NetGuard Intrusion Detection System. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information, visit the CVE-Compatible Products and Services section.

July 27, 2005

New Document Describes How CVE Handles Accidental Assignment of Duplicate CVE Identifiers

A new document entitled "Handling Duplicate Public CVE Identifiers" that describes the criteria MITRE uses for selecting the preferred identifier from any accidental duplicates has been posted in the CVE Content Decisions section of the CVE Web site.

As more and more vendors, researchers, and coordinators use CVE identifiers (i.e., CVE Names) in their initial public vulnerability announcements, the risk of multiple assignments of the same CVE identifier increases. While all involved parties should and normally do coordinate on the CVE name for an issue, errors still occasionally occur, especially if one party is new to CVE. When duplicate identifiers are made public, CVE's Primary Candidate Numbering Authority must be consulted to choose the proper candidate to use. Once the preferred identifier has been selected, MITRE will modify the descriptions of all other identifiers and reference the preferred identifier.

For more information about Content Decisions refer to the CVE Content Decisions Overview and CVE Abstraction Content Decisions: Rationale and Application pages. A list of the organizations that include or have included CVE names in their vulnerability announcements is included on the Organizations with CVE Names in Advisories page.

CVE Presents Briefing at the New England Electronic Crimes Task Force Meeting on July 26th

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE/OVAL at the New England Electronic Crimes Task Force Meeting on July 26, 2005 in Wellesley, Massachusetts, USA. The Electronic Crimes Task Force includes members from industry as well as local, state, and federal law enforcement and was created to "help prevent and when necessary, prosecute these new kinds of [electronic and computer] crimes."

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

July 15, 2005

228 Information Security Products and Services Now Listed on the CVE Web Site

Information about numerous information security products and services can be found in the CVE-Compatible Products and Services section of the CVE Web site. 228 are listed to-date, of which 52 network security products or services from 29 organizations from industry, government, and academia organizations worldwide have been awarded the CVE-Compatible logo and are registered as "Officially CVE-Compatible," while another 110 organizations have declared that their 176 products are or will be compatible.

"CVE-compatible" means that a product or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names, as documented in the CVE compatibility requirements. Each item listed on the CVE Web site includes a link to the organization's homepage, the product or service name, type of product, link to the product homepage, and a notation of the specific point in the CVE Compatibility Process each product or service has reached. Many organizations have multiple products and services listed. For additional usability, they are also listed by product type, product name, organization, and country. Product types include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls.

Visit the CVE-Compatible Products and Services page to review information about CVE compatibility, and on all 52 officially compatible products and 176 declared information security products and services.

CVE to Present Briefing at the New England Electronic Crimes Task Force Meeting on July 26th

CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing about CVE/OVAL at the New England Electronic Crimes Task Force Meeting on July 26th, 2005 in Wellesley, Massachusetts, USA. The Electronic Crimes Task Force includes members from industry as well as local, state, and federal law enforcement and was created to "help prevent and when necessary, prosecute these new kinds of [electronic and computer] crimes."

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

July 1, 2005

PatchAdvisor, Inc. Makes Three CVE Compatibility Declarations

PatchAdvisor, Inc. has declared that its patch management vulnerability notification service and database, PatchAdvisor Alert!; patch management vulnerability notification service for small businesses, PatchAdvisor Flash!; and its historical and current patch management vulnerability notification service in XML format, PatchAdvisor Source, are CVE-compatible. PatchAdvisor's PatchAdvisor Enterprise is also listed on the CVE-Compatible Products and Services page.

For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Beijing Topsec Co., Ltd. Makes CVE Compatibility Declaration

Beijing Topsec Co., Ltd. has declared that its NetGuard Intrusion Detection System is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

CVE Mentioned in Article about Security Threats in SD Times

CVE was mentioned in a May 15, 2005 article entitled "Top Ten, Other Lists Catalog Security Threats" in SD Times, The Industry Newspaper for Software Development Managers. The author mentions CVE as one of the "Internet resources [that aim] to identify application flaws developers may do battle with."

The author mentions CVE as follows: "Another entry, the Common Vulnerabilities and Exposures (CVE) List (cve.mitre.org/cve), is not a database, per se. It aims to standardize the names for all publicly known vulnerabilities and security exposures. Maintained by the not-for-profit MITRE Corp., the listing is designed to make it easier to search for information in security databases, such as the one maintained by CERT/CC [www.kb.cert.org/vuln]."

In addition to the CERT/CC database, the article also mentions the Open Web Security Project Top Ten list, both of which are listed on the CVE-Compatible Products and Services page.

Conference Photos of CVE Booth at the NetSec 2005

MITRE hosted a CVE/OVAL exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15th, 2005 in Scottsdale, Arizona, USA. See photos below.

NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
NetSec 2005
June 15, 2005

Document Detailing "CVE Content Decisions" Now Available

A new document entitled "CVE Abstraction Content Decisions: Rationale and Application" detailing CVE content decisions (CDs) has been posted on the CVE Web site. CVE CDs are the guidelines used to ensure that CVE names are created in a consistent fashion, independent of who is doing the creation.

There are two major types of CDs: (1) "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE; and (2) "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. The new document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names.

Also discussed in the document are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE's major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action. Intended primarily for CVE's Candidate Numbering Authorities (CNAs), the document may also be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and large-scale technical consumers of vulnerability information.

Additional information about CDs is available on the CVE Content Decisions Overview page.

Xentinel Digital Security, Inc. Makes CVE Compatibility Declaration

Xentinel Digital Security, Inc. has declared that its remote vulnerability assessment and remediation service, HACKER FREE, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

"CVE Compatibility Requirements" Document Updated for CVE Naming Scheme Modification

The "Requirements and Recommendations for CVE Compatibility" document has been updated in preparation for the upcoming modification to the CVE List numbering scheme that will replace the "CAN" prefix with a "CVE" prefix in CVE names. Changes to the requirements detail how organizations should handle the inclusion of CVE names with "candidate" status when including them in their products or services (see Section 6. Candidate Name Usage). We have posted the changes in advance so that organizations previously listed on the CVE-Compatible Products and Services page as well as those making new declarations will be prepared for the changeover.

The CVE List will be renumbered beginning October 19, 2005. Read the Renumbering Q&A.

MITRE Hosts CVE/OVAL Booth at NetSec 2005

MITRE hosted a CVE/OVAL exhibitor at NetSec 2005 Conference & Exhibition, June 13 -15, 2005 in Scottsdale, Arizona, USA. The conference introduced CVE and OVAL to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

June 3, 2005

CVE Names Included in Consensus List of "Top Twenty" Internet Security Threats

The recently updated Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on May 2, 2005. The update is the first installment in a new program of quarterly updates by SANS that "summarizes the most critical new vulnerabilities discovered during the first quarter of 2005 by vendors" to provide "an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization."

The updated list, like the annual Top Twenty consensus list, includes CVE names with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible products and services to help make their networks more secure.

SANS is a member of the CVE Editorial Board and its education and training materials are listed on the CVE-Compatible Products and Services page.

NX Security Makes CVE Compatibility Declaration

NX Security has declared that its vulnerability assessment and remediation service, NX Express for Web Applications, is CVE-compatible. In addition, NX Security's NX Express and NX Enterprise are listed as "Officially CVE-Compatible" on the CVE-Compatible Products and Services page. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

CVE/OVAL Booth Number Changed for NetSec 2005

MITRE's CVE/OVAL exhibitor booth number for NetSec 2005 Conference & Exhibition, June 13 - 15, 2005 in Scottsdale, Arizona, USA, has been changed from E13 to D7. Organizations listed on the CVE-Compatible Products and Services page will also be exhibiting. Please stop by any of these booths and say hello.

Visit the CVE Calendar page for information on this and other upcoming events.

May 11, 2005

10,000+ CVE Names Now Available on the CVE Web Site!

The CVE Web site now contains 10,133 unique information security issues with publicly known names. Of these, 3,052 have CVE entry status and 7,081 have candidate status pending approval by the CVE Editorial Board. CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE names.

CVE names are unique, common identifiers for publicly known information security vulnerabilities. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID). The CVE List will be renumbered beginning October 19, 2005. Read the Renumbering Q&A.

Visit the CVE-Compatible Products and Services page to find out about the 222 products that use CVE names, or see Organizations with CVE Names in Advisories for a list of the 67 organizations to-date that are including or have included CVE names in their advisories.

MITRE to Host CVE/OVAL Booth at NetSec 2005, June 13th - 15th

MITRE is scheduled to host a CVE/OVAL exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15, 2005 in Scottsdale, Arizona, USA. The conference is targeted to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals. Please stop by Booth E13 and say hello. In addition, organizations listed on the CVE-Compatible Products and Services page will also be exhibiting.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

May 6, 2005

NileSOFT Ltd. Makes Two CVE Compatibility Declarations

NileSOFT Ltd. has declared that its online PC vulnerability assessment service, mySSE for Web, and enterprise log analysis and management system, LogCOPS, are CVE-compatible. In addition, NileSOFT Ltd.'s Secuguard SSE (System Security Explorer) and Secuguard NSE (Network Security Explorer) are also listed on the CVE-Compatible Products and Services page. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Prism Microsystems, Inc. Makes CVE Compatibility Declaration

Prism Microsystems, Inc. has declared that its vulnerability assessment and remediation change tool, What Changed?, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Senior Advisory Council Holds Meeting

The Senior Advisory Council held a meeting on Monday, April 25, 2005. Topics included U.S. Department of Defense (DOD) vulnerability management using (Extensible Markup Language Configuration Checklist Data Format) XCCDF, OVAL, and CVE; the U.S. Department of Energy's (DOE) enterprise-wide Microsoft license and contract; an update on Center for Internet Security (CIS) information security benchmarks and tools; and status updates on CME, OVAL, and CVE.

MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding, and to help us all understand potential relationships with other ongoing activities, share information, and promote synergy across the security community. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. Visit the Senior Advisory Council section to view a list of the advisory council members or to read a copy of the council charter.

CVE Standards Effort a Main Topic of Article in CrossTalk

CVE was a main topic in an article by CVE Compatibility Lead Robert A. Martin entitled "Transformational Vulnerability Management Through Standards" in the May 2005 issue of CrossTalk, The Journal of Defense Engineering. The article discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the CVE and OVAL standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency's Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."

The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network-centric warfare capabilities."

CVE Mentioned in Article on ComputerWorld

CVE was mentioned in an April 25, 2005 article in Computerworld entitled "Sidebar: Security Forum's Demise Doesn't End Call for Help." CVE is mentioned in the article in a quote by Amit Yoran, former director of the National Cyber Security Division at the U.S. Department of Homeland Security, advocating the idea behind the CISO Exchange. The author of the article reports the quote as follows: "One example in which such [industry] participation has yielded substantial benefits is the widely used Common Vulnerabilities and Exposures [List], which is maintained by The MITRE Corp. in partnership with the government and various vendors, Yoran said."

CVE is sponsored by US-CERT at the U.S. Department of Homeland Security. MITRE Corporation maintains CVE and provides impartial technical guidance to the CVE Editorial Board on all matters related to ongoing development of CVE.

CVE Participates on Panel Discussion at DOE Cyber Security Group Training Conference on April 21st

CVE Compatibility Lead Robert A. Martin participated on a panel discussion entitled "Building Security into the Enterprise" in which and CVE and OVAL were topics of discussion at the 27th Department of Energy (DOE) Cyber Security Group (CSG) Training Conference on April 21, 2005 in Denver, Colorado, USA.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

CVE Presents Briefing at DOE Cyber Security Chiefs Council Meeting on April 20th

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE and OVAL to the Department of Energy (DOE) Cyber Security Chiefs Council Meeting on April 20, 2005 in Denver, Colorado, USA. Visit the CVE Calendar page for information on this and other upcoming events.

April 21, 2005

CVE List to be Renumbered in October

Beginning October 19, 2005, there will be a one-time-only modification to the CVE List numbering scheme to enhance usability. This one-time change is a direct result of feedback from users. We are making this announcement now in order to give advance notice and to minimize the amount of work required for users and vendors from the changeover.

The CVE List numbering scheme is being modified to eliminate the CAN prefix in CVE names. Under the current system the "CAN-yyyy-nnnn" identifier is eventually changed to a "CVE-yyyy-nnnn" identifier, which can result in maintenance problems and confusion. The new numbering system will have the CVE prefix from the outset followed by 8 numerals and a status line designating whether the name has "Candidate," "Entry," or "Deprecated" status. Each name will continue to include a brief description and references. Under the new scheme, when new CVE versions are released only the status line will be updated.

For example, CVE name CVE-1999-0067 will include the following:

CVE Name: CVE-1999-0067
Status: Entry
Description: CGI phf program allows remote command execution through shell metacharacters.
References: • CERT:CA-96.06.cgi_example_code
• XF:http-cgi-phf
• BID:629
• OSVDB:136

Previously assigned CVE numbers will remain the same except for the prefix being updated and the addition of the status, e.g., CAN-2005-0386 will be changed to CVE-2005-0386 with "Candidate" status. Links to CANs in older advisories and news media articles will be redirected on the CVE Web site to pages with the appropriate renumbered names. We will also be updating the CVE Compatibility Requirements document to conform to the modification and will be contacting compatible vendors directly to discuss the expected impact.

Visit the CVE Web site regularly and/or sign-up for CVE-Announce for updates on the numbering modification and other CVE issues, or contact cve@mitre.org with any questions or concerns.

DesktopStandard Corporation Issues Press Release Announcing Receipt of Certificate of CVE Compatibility

CVE compatibility was the main topic of a April 5, 2005 press release by DesktopStandard Corporation entitled "DesktopStandard’s PolicyMaker Software Update Receives CVE Compatibility Award." In the release DesktopStandard announces that "Group Policy-based patch management product, PolicyMaker Software Update, received the prestigious CVE Compatibility Award today from MITRE Corporation at the MIS Training Institute’s InfoSec World Conference & Expo in Orlando, FL." The release also includes a quote by Kevin Sullivan, product manager for PolicyMaker products, who states: "DesktopStandard builds solutions that comply with industry standards, and the accepted standard for vulnerability definitions is critical for us to support. We see CVE support as an essential step to protect our customers from security threats and provide them with the optimum solution for deploying software update policy across their networks. We build software to support entire networks, so we had better be compliant be with standards."

DesktopStandard - CVE Compatible

Jerry Dixon, US-CERT/DHS, and Kevin Sullivan, DesktopStandard’s PolicyMaker Product Manager, at MITRE's compatibility awards ceremony at InfoSec World 2005.

DesktopStandard Corporation and PolicyMaker Software Update are listed on the CVE-Compatible Products and Services page.

Beyond Security Ltd. Issues Press Release Announcing Receipt of Four Certificates of CVE Compatibility

CVE compatibility was the main topic of a March 27, 2005 press release by Beyond Security Ltd. entitled "Beyond Security Now CVE Compatible." In the release Beyond Security announces that its "Security Assessment Service is now [fully] CVE-compatible." The release also includes a quote by Aviram Jenik, CEO of Beyond Security, who states: "CVE compatibility may seem awfully techy to some, but we feel it is important to embrace the evolving standards necessary to better audit networks security vulnerabilities."

Beyond Security Ltd. - CVE Compatible

Aviram Jenik, CEO of Beyond Security, with his organization's four awards from MITRE's compatibility awards ceremony at InfoSec World 2005.

Beyond Security Ltd. and its Automated Scanning Appliance; Automated Scanning Service-External Scanning; Automated Scanning Service-Service Provider Platform; and Automated Scanning Service-Product Audits are listed on the CVE-Compatible Products and Services page.

"Certificate of CVE Compatibility" Awarded to Secure Elements Incorporated

Secure Elements Incorporated was recently presented with a "Certificate of CVE Compatibility" for its C5 Enterprise Vulnerability Management (EVM) Suite. MITRE held an awards ceremony at MISTI's InfoSec World Conference and Expo/2005 in Orlando, Florida, USA on April 5th to award compatibility certificates to 10 organizations for 18 information security products or services. Twenty-four products were previously declared officially compatible in 2004.

Secure Elements - CVE Compatible

Jerry Dixon, US-CERT/DHS, and Ned Miller, CEO of Secure Elements, at MITRE's compatibility awards ceremony at InfoSec World 2005.

Secure Elements Incorporated and its C5 Enterprise Vulnerability Management (EVM) Suite are listed on the CVE-Compatible Products and Services page.

ArcSight, Inc. Issues Press Release Announcing Receipt of "CVE Compatibility Certificate"

CVE compatibility was the main topic of a April 6, 2005 press release by ArcSight, Inc. entitled "ArcSight ESM Awarded CVE Compatibility Certificate." In the release ArcSight announces that "The CVE Initiative, in a ceremony today, awarded the CVE Compatibility Certificate to ArcSight ESM."

The release also includes a quote from Pravin Kothari, Vice President of Software Development at ArcSight, who states: "As the clear, independent standard for identification of vulnerabilities and information security exposures, CVE certification is critical for enterprise security management solutions. As the first enterprise class security management solution to receive CVE certification, ArcSight has empirical proof of its leadership in integrating vulnerability data into real-time and historic security management technology."

ArcSight, Inc. and ArcSight Enterprise Security Manager (ArcSight ESM) are listed on the CVE-Compatible Products and Services page.

Skybox Security, Inc. Issues Press Release Announcing Receipt of "Certificate of CVE Compatibility"

CVE compatibility was the main topic of a April 6, 2005 press release by Skybox Security, Inc. entitled "Skybox Security Recognized for CVE Compatibility." In the release Skybox announces that it "has been formally recognized for Common Vulnerabilities and Exposures (CVE®) compatibility for its enterprise software solution, Skybox View. The award, presented to Skybox at the MIS Technology Institute's InfoSec World Conference and Exposition, recognizes products that have incorporated MITRE Corporation's CVE standard names for security vulnerabilities and exposures to foster information sharing across security solutions. Skybox was one of ten companies receiving certification [at the event]."

The release also includes a quote from Gidi Cohen, Chief Strategy Officer for Skybox Security, who states: "Skybox Security is proud to be the first security risk management solution to be awarded CVE compatibility, as well as one the select few who have achieved the final phase of MITRE's formal CVE Compatibility Process. Skybox is actively committed to industry standards. With over 200 products and services declared CVE-compatible, the CVE Initiative is an important and influential community working toward the common purpose of better security."

Skybox Security, Inc. and Skybox View are listed on the CVE-Compatible Products and Services page.

NX Security Issues Media Notification Announcing Receipt of Two "Certificates of CVE Compatibility"

CVE compatibility was the main topic of a April 7, 2005 media notification by NX Security entitled "NX Security conquista certificação CVE." In the notification, which is written in Portuguese, NX Security announces: "Em continuidade à trajetória de sucesso e excelência no que diz respeito aos serviços oferecidos na área de Segurança da Informação, a NX Security dá mais um passo importante e é a primeira empresa da América Latina a conquistar a certificação CVE. A certificação foi entregue no dia 05 de abril, no InfoSec World Conference, em Orlando, Flórida, EUA. Durante o evento, no qual a US-CERT (Divisão Nacional de Segurança na Internet) representou a NX Security. Foram declarados com compatibilidade CVE o NX-Entreprise e o NX-Express, serviços de detecção e reação de forma contínua contra as ameaças aos sistemas de informação."

The release further states: "Com isso, as soluções apresentadas pela NX Security para proteger e garantir uma maior cobertura nas atividades e aplicações das redes externas e internas possuem eficiência e exatidão ao determinar as vulnerabilidades e exposições detectadas. Isso acontece porque sendo compatível com os nomes CVE haverá uma padronização na avaliação feita pelas ferramentas e pela base de dados, permitindo, inclusive que estes possam comunicar-se entre si."

NX Security and its NX Enterprise and NX Express products are listed on the CVE-Compatible Products and Services page.

"Certificate of CVE Compatibility" Awarded to Lockdown Networks, Inc.

Lockdown Networks, Inc. was recently presented with a "Certificate of CVE Compatibility" for its Lockdown Vulnerability Management Solution. MITRE held an awards ceremony at MISTI's InfoSec World Conference and Expo/2005 in Orlando, Florida, USA on April 5th to award compatibility certificates to 10 organizations for 18 information security products or services. Twenty-four products were previously declared officially compatible in 2004.

Lockdown Networks, Inc. and its Lockdown Vulnerability Management Solution are listed on the CVE-Compatible Products and Services page.

Four "Certificates of CVE Compatibility" Awarded to NetVigilance, Inc.

NetVigilance, Inc. was recently presented with "Certificates of CVE Compatibility" for its SecureScout EagleBox, SecureScout NX, SecureScout SP, and SecureScout Perimeter products. MITRE held an awards ceremony at MISTI's InfoSec World Conference and Expo/2005 in Orlando, Florida, USA on April 5th to award compatibility certificates to 10 organizations for 18 information security products or services. Twenty-four products were previously declared officially compatible in 2004.

NetVigilance, Inc. and its SecureScout EagleBox, SecureScout NX, SecureScout SP, and SecureScout Perimeter are listed on the CVE-Compatible Products and Services page.

"Certificate of CVE Compatibility" Awarded to ThreatGuard, Inc.

ThreatGuard, Inc. was recently presented with a "Certificate of CVE Compatibility" for its ThreatGuard Continuous Security Auditing and Compliance Management (CSA/CM) System. MITRE held an awards ceremony at MISTI's InfoSec World Conference and Expo/2005 in Orlando, Florida, USA on April 5th to award compatibility certificates to 10 organizations for 18 information security products or services. Twenty-four products were previously declared officially compatible in 2004.

ThreatGuard, Inc. and its ThreatGuard CSA/CM System are listed on the CVE-Compatible Products and Services page.

Two "Certificates of CVE Compatibility" Awarded to WebZcan

WebZcan was recently presented with "Certificates of CVE Compatibility" for its WebZcan–Business Users and WebZcan–Home Users products. MITRE held an awards ceremony at MISTI's InfoSec World Conference and Expo/2005 in Orlando, Florida, USA on April 5th to award compatibility certificates to 10 organizations for 18 information security products or services. Twenty-four products were previously declared officially compatible in 2004.

WebZcan and its WebZcan–Business Users and WebZcan–Home Users products are listed on the CVE-Compatible Products and Services page.

CVE Presents Briefing at Systems and Software Technology Conference on April 19th

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE and OVAL entitled "A Case Study on Transformational Vulnerability Management Through Standards" at the 17th Annual Systems and Software Technology Conference on April 19, 2005 at the Salt Palace Convention Center in Salt Lake City, Utah, USA. The conference itself runs April 18 – 21.

The Systems and Software Technology Conference is co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension. The conference is targeted to representatives from "military services, government agencies, defense contractors, industry, and academia." DISA is a member of the CVE Editorial Board.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

CVE Presents Briefing to Financial Services Technology Consortium's Security Committee

CVE Compatibility Lead Robert A. Martin presented a briefing on April 14, 2005 entitled "Software Quality and Vulnerability Management - CVE and OVAL" to the monthly teleconference of the Financial Services Technology Consortium's (FSTC) Security Standing Committee (SSCOM). The talk focused on using the CVE and OVAL standards to transform how organizations manage the flaws in the software systems they use to conduct their businesses. The mission of FSTC SSCOM is to "help member financial institutions anticipate and respond to challenges and opportunities in the dynamic area of information security technology, while helping technology providers and standards organizations to understand the unique security needs of the financial services industry."

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

April 5, 2005

18 Additional Information Security Products/Services Now Registered as Officially "CVE-Compatible"

CVE Compatible

Eighteen information security products and services from ten organizations are the latest to achieve the final stage of MITRE's formal CVE Compatibility Process and are now officially "CVE-compatible." Each product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings on the CVE-Compatible Products and Services page on the CVE Web site. Twenty-four products were previously declared officially compatible last year.

The following products are now registered as officially "CVE-Compatible":

ArcSight, Inc. - ArcSight Enterprise Security Manager (ArcSight ESM)
Beyond Security Ltd. - Automated Scanning Appliance
- Automated Scanning Service - External Scanning
- Automated Scanning Service - Service Provider Platform
- Automated Scanning Service - Product Audits
DesktopStandard Corporation - PolicyMaker Software Update
Lockdown Networks, Inc. - Lockdown Vulnerability Management Solution
netVigilance, Inc. - SecureScout EagleBox
- SecureScout NX
- SecureScout SP
- SecureScout Perimeter
NX Security - NX Enterprise
- NX Express
Secure Elements Incorporated - C5 Enterprise Vulnerability Management (EVM) Suite
Skybox Security, Inc. - Skybox View
ThreatGuard, Inc. - ThreatGuard Continuous Security Auditing and Compliance Management (CSA/CM) System
Webzcan - WebZcan - Home Users
- WebZcan - Business Users

Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

An awards ceremony was held today, April 5th, in the pressroom at MISTI's InfoSec World Conference and Expo/2005, Disney’s Coronado Springs Resort, in Orlando, Florida, USA, to present Certificates of CVE Compatibility to the organizations that have achieved this final phase. Jerry Dixon, the Deputy Director of the National Cyber Security Division, U.S. Computer Emergency Readiness Team (CERT) at the Department of Homeland Security presented the awards. Organizations participating in the ceremony included DesktopStandard Corporation and Secure Elements Incorporated.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services pages.

CVE the Underpinning for Security Innovation, Inc. Study

CVE was the underpinning for a March 2005 study by Security Innovation, Inc. entitled "Role Comparison Report - Web Server Role" that compared Linux versus Windows in terms of security vulnerabilities. The authors state: "In our analysis, we refer to a vulnerability as distinct if it has its own CVE or CAN identifier." In a section entitled "MITRE CVE List" the study describes what CVE is, mentions the CVE Editorial Board, explains the difference between CVE names with official entry status and CVE names with candidate status, and includes links to the CVE Web site.

In addition, the authors used the National Institute of Standards and Technology's (NIST) ICAT database—which NIST describes as a "CVE Vulnerability Search Engine"—to determine the severity of each vulnerability identified in the study. NIST is a member of the CVE Editorial Board and ICAT is listed on the CVE-Compatible Products and Services page.

CVE to Present Briefing at Systems and Software Technology Conference on April 19th

CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing about CVE/OVAL entitled "A Case Study on Transformational Vulnerability Management Through Standards" at the 17th Annual Systems and Software Technology Conference on April 19th, 2005 at the Salt Palace Convention Center in Salt Lake City, Utah, USA. The conference itself runs April 18 - 21.

The Systems and Software Technology Conference is co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension. The conference is targeted to representatives from "military services, government agencies, defense contractors, industry, and academia." DISA is a member of the CVE Editorial Board.

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

CVE to Participate on Panel Discussion at DOE Cyber Security Group Training Conference on April 21st

CVE Compatibility Lead Robert A. Martin will participate on a panel discussion entitled "Building Security into the Enterprise" at the 27th Department of Energy (DOE) Cyber Security Group (CSG) Training Conference on April 21st, 2005 at the Westin Westminster in Denver, Colorado, USA. The conference theme is "Reduce Your Vulnerabilities and Protect Your Resources" and will include speakers from across the Federal Government, as well as the Department or Energy and the National Nuclear Security Administration. The event itself is scheduled for April 18 - 21.

Visit the CVE Calendar page for information on this and other upcoming events.

CVE Presents Briefing at Babson College's CIMS Technology Update Workshop on March 11th

CVE Project Leader Margie Zuk and CVE Compatibility Lead Robert A. Martin presented a briefing about CVE and OVAL on March 11th at the Center for Information Management Studies' (CIMS) Technology Update Workshop at Babson College in Wellesley, Massachusetts, USA. CIMS is a "consortium of academic leaders and industry professionals working together to promote the effective use of information technology (IT)." CIMS provides "a valuable forum for IT management dialog . . . [for] IT executives, managers, and senior professionals" and its workshops, publications, and courses focus on issues that are most important to the IT community.

Visit the CVE Calendar page for information on this and other upcoming events.

March 23, 2005

Westline Security Limited Makes Two CVE Compatibility Declarations

Westline Security Limited has declared that its Athena Aegis Intrusion Prevention System and its Athena Spear Intrusion Detection System are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Information Risk Management Plc Makes CVE Compatibility Declaration

Information Risk Management Plc has declared that its Security Risk Assessment Service is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Four Organizations Reference CVE Names in Security Advisories

The following four organizations recently referenced CVE names with entry or candidate (CAN) status in their security advisories: NISCC, Ubuntu Linux, ACROS Security, and AVET Information and Network Security.

National Infrastructure Security Co-ordination Centre (NISCC) issued a security advisory in March 17, 2005 that identified CAN-2005-0237. Other NISCC security advisories also include CVE names.

Ubuntu Linux issued a security advisory in March 16, 2005 that identified CAN-2005-0605. Other Ubuntu Linux security advisories also include CVE names.

ACROS Security issued a security advisory in October 13, 2004 that identified CAN-2004-0845. Other ACROS security advisories also include CVE names.

AVET Information and Network Security issued a security advisory in January 7, 2003 that identified CAN-2003-0282. Other AVET security advisories also include CVE names.

See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 67 organizations that are including or have included CVE names with entry or candidate status in their security advisories.

Conference Photos of CVE Booth at the RSA 2005

MITRE hosted a CVE/OVAL exhibitor booth at RSA Conference 2005, February 14 - 18th, 2005 in San Francisco, California, USA. See photos below.

RSA 2005
RSA 2005
RSA 2005
RSA 2005
March 4, 2005

CVE Mentioned in Article about New Vulnerability Rating System in Computerworld

CVE was mentioned in a February 18, 2005 article entitled "RSA: Major companies tout new vulnerability rating system; The Common Vulnerability Scoring System was unveiled yesterday" on Computerworld.com. The article discusses the Common Vulnerability Scoring System (CVSS), which if adopted "would provide a common language for describing the seriousness of computer security vulnerabilities and replace vendor-specific rating systems."

CVE is mentioned in a statement by Gerard Eschelbeck of Qualys, Inc.: "The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database maintained by MITRE, which provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference but continue to offer their own analysis or threat assessments."

The article describes the CVSS proposal in detail and states that it is "part of a project by the National Infrastructure Advisory Council [NIAC] to create a global framework for disclosing information about security vulnerabilities." The article also notes that the new rating system was created by NIAC, which part of the U.S. Department of Homeland Security, and members of the IT industry including "eBay Inc., Qualys Inc., Internet Security Systems Inc. and MITRE Corp." Also mentioned in the article as supporting CVSS are "Cisco Systems Inc., Microsoft Corp. and Symantec Corp."

Of the organizations mentioned above, Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; Microsoft Corporation; and Symantec Corporation are members of the CVE Editorial Board, and Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; and Symantec Corporation are listed on the CVE-Compatible Products and Services page. In addition, MITRE Corporation maintains CVE, which is sponsored by US-CERT at the U.S. Department of Homeland Security, and provides impartial technical guidance to the Editorial Board on all matters related to ongoing development of CVE.

Stonesoft Corporation Makes CVE Compatibility Declaration

Stonesoft Corporation has declared that its network intrusion protection system (IPS), StoneGate IPS, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

MITRE to Host CVE/OVAL Booth at InfoSec World Conference and Expo/2005, April 4th-6th

MITRE is scheduled to host a CVE/OVAL exhibitor booth at MISTI's InfoSec World Conference and Expo/2005 on April 4th - 6th at the Coronado Springs Resort in Orlando, Florida, USA. The conference will expose CVE and OVAL to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. In addition, numerous companies with CVE-compatible products and services will be exhibiting.

Visit the CVE Calendar page for information on this and other upcoming events.

CVE Main Topic of White Paper on PredatorWatch Web Site

CVE was the main topic of a December 2004 white paper on PredatorWatch.com entitled "Proactive Network Security: Do You Speak CVE?" In the paper the author calls CVE a standard; describes what CVE is and isn't; mentions "Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" issued by the USA National Institute of Standards and Technology (NIST) that recommends the use of the CVE naming scheme by government agencies; notes that CVE is funded by the U.S. Department of Homeland Security; and provides a link to the CVE Web site.

The white paper also includes several specific sections regarding CVE: "Do You Speak CVE?," "Keep Up To Date On CVEs," "Exploiting CVEs," "Removing CVEs," "Protect Against CVE Exploiters," "Audit Your Network For CVEs," "Lock The Doors Against CVE Exploits," and "Cleanup Your CVEs."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 128 and Update Service, PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.

CVE Presents Briefing at ANSI X9F4 Standards Meeting on March 2nd

CVE Compatibility Lead Robert A. Martin presented a briefing about CVE/OVAL at the American National Standards Institute (ANSI) X9F4 Standards Meeting for the finance industry on March 2, 2005 in San Antonio, Texas, USA.

X9 is an ANSI-approved organization that creates standards for the financial services industry. Within X9, the X9F subcommittee deals with data and information security issues and the X9F4 Working Group focuses on cryptographic standards. ANSI is a private, non-profit organization that "administers and coordinates the U.S. voluntary standardization and conformity assessment system. The Institute's mission is to enhance both the global competitiveness of U.S. business and the U.S. quality of life by promoting and facilitating voluntary consensus standards and conformity assessment systems, and safeguarding their integrity."

Visit the CVE Calendar page for information on this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

CVE Mentioned in Princeton University White Paper about Vulnerability Assessment

CVE was mentioned in a December 2004 technical report from the Department of Computer Science at Princeton University entitled "TR-718-04: Policy-based Multihost Multistage Vulnerability Analysis." The report introduces the concept of "MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network." CVE names were used by the authors to identify the network vulnerabilities to be tested by MulVAL. CVE was also identified in a footnote along with the address for the CVE Web site: "Common Vulnerabilities and Exposures (CVE) is a list of standardized names for vulnerabilities and other information security exposures. https://cve.mitre.org".

MITRE Hosts CVE/OVAL Booth at RSA Conference 2005, February 14th-18th

MITRE hosted a CVE/OVAL exhibitor booth at RSA Conference 2005 on February 14th - 18th in San Francisco, California, USA. The conference introduced CVE and OVAL to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products or initiatives. Visit the CVE Calendar page for information on this and other upcoming events.

February 16, 2005

SIMCommander LLC Makes Two Compatibility Declarations

SIMCommander LLC has declared that its SIMCommander and SIMCommander Analyzer security information management platforms are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

K-OTik Security Makes Compatibility Declaration

K-OTik Security has declared that its vulnerability database of security advisories, K-OTik Security Advisories, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

Two Organizations Reference CVE Names in Security Advisories

The following two organizations recently referenced CVE names with entry or candidate (CAN) status in their security advisories: K-OTik Security and CASESContact.org.

K-OTik Security issued a security advisory in February 9, 2005 that identified CAN-2005-0230, CAN-2005-0231, and CAN-2005-0232. Other K-OTik Security advisories also include CVE names.

CASEScontact (Cyberworld Awareness and Security Enhancement Structure) issued a security advisory in February 9, 2005 that identified CAN-2005-0053. Other CASESContact.org advisories also include CVE names.

See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 63 organizations that are including or have included CVE names with entry or candidate status in their security advisories.

MITRE Hosts CVE/OVAL Booth at 2005 Information Assurance Workshop, February 7th-10th

MITRE hosted a CVE/OVAL exhibitor booth at the 2005 Information Assurance (IA) Workshop in Atlanta, Georgia, USA, February 7th-10th. The purpose of the workshop, which was hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, was to provide a forum for the IA community on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event was successful and introduced CVE and OVAL to representatives of the DOD and other Federal Government employees and their sponsored contractors.

February 4, 2005

Four Organizations Reference CVE Names in Security Advisories

The following four organizations recently referenced CVE names with entry or candidate (CAN) status in their security advisories: TurboLinux; Zone-H.org; C.Enter Information-Technology; and Critical Watch.

TurboLinux, Inc. issued a security advisory in January 26, 2005 that identified CAN-2004-0989. Other advisories also include CVE names.

Zone-H.org issued a security advisory in January 18, 2005 that identified CAN-2004-0488, CAN-2004-0748, CAN-2004-0751, CAN-2004-0809, CAN-2004-0885, and CAN-2004-0942. Other advisories also include CVE names.

C.Enter Information-Technology Ltd. issued a security advisory in January 15, 2005 that identified CAN-2004-1163 and CAN-2004-1164. Other advisories also include CVE names.

Critical Watch issued a security advisory in January 13, 2005 that identified CAN-2004-0633, CAN-2004-0634, CAN-2004-0635, CAN-2004-0504, CAN-2004-0504, CAN-2004-0506, CAN-2004-0507, CAN-2004-1139, CAN-2004-1140, CAN-2004-1141, and CAN-2004-1142. Other advisories also include CVE names.

See Organizations with CVE Names in Vulnerability Advisories for a complete list of the 61 organizations that are including or have included CVE names with entry or candidate status in their security advisories.

January 21, 2005

CVE Included in Article about PredatorWatch on InternetNews.com

CVE was mentioned in a January 18, 2005 article entitled "PredatorWatch Prowling For CVEs" on InternetNews.com. The article is a review of PredatorWatch, Inc.'s PredatorWatch Auditor 16 product, in which the author states: "Buried inside the vast majority of security advisories and patches issued by vendors and the security community is a standardized naming convention called CVE (Common Vulnerabilities and Exposures)." The author continues: "A new tool from security vendor PredatorWatch aims to take advantage of the CVE "dictionary" in order to provide a greater level of security than either a firewall or anti-virus solution alone can provide. The product does that by striking at the heart of the issue, vulnerability (in the form of CVE's) assessment itself."

The article describes what CVE is, mentions that it was launched in 1999, notes that the initiative is sponsored by US-CERT at the Department of Homeland Security, includes a link to the CVE Web site, and that "According to PredatorWatch, 95 percent of all network security breaches are the result of [CVE names]." The author further notes: "In PredatorWatch's opinion, [the vulnerabilities listed by CVE names] are at the root of most malware, Trojans and viruses." The article also includes a quote from Gary Miliefsky, PredatorWatch CEO, who states: "So if you have a common vulnerability and exposure/CVE on your computer that malware/Trojan/virus can take advantage of that and compromise you."

The article also includes a quote by CVE Compatibility Lead Robert A. Martin, who mentions that CVE names would be especially effective to help the media and IT managers to demystify viruses, worms, and malware: "They're not some magical creatures that can go through a solid surface. They have to take advantage of a flaw in your process or a flaw. If people were aware that these are open windows and doors maybe they would appreciate that closing those windows and locking those doors is a good idea."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 16 and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded an official "Certificate of CVE Compatibility" on November 18, 2004.

Secure Associates Makes Two Compatibility Declarations

Secure Associates has declared that its MindStorm Enterprise Edition and MindStorm MSSP Edition security information management platforms will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page.

MITRE to Host CVE/OVAL Booth at the 2005 Information Assurance Workshop, February 7th-10th

MITRE is scheduled to host a CVE/OVAL exhibitor booth on February 7th-10th at the 2005 Information Assurance Workshop in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce CVE and OVAL to representatives of the DOD and other Federal Government employees and their sponsored contractors. Please stop by Booth 207 and say hello.

Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

MITRE to Host CVE/OVAL Booth at RSA Conference 2005, February 14th-18th

MITRE is scheduled to host a CVE/OVAL exhibitor booth on February 14th-18th at RSA Conference 2005 at the Moscone Center in San Francisco, California, USA. The conference will introduce CVE and OVAL to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products. Please stop by Booth 1231 and say hello.

Visit the CVE Calendar page for information about this and other upcoming events.

January 6, 2005

CVE Announces 'Calendar of Events' for 2005

The CVE Initiative has announced its initial calendar of events for the first half of 2005. Details regarding MITRE's scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the CVE Calendar page for information about these and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.

Page Last Updated or Reviewed: December 15, 2017